Q82 — AWS DOP-C02 Ch.1
Question 82 of 100 | ← Chapter 1
A company uses AWS CloudFormation to deploy its application environment. A recent update to the CloudFormation stack failed during deployment. A DevOps engineer discovered that some resources in the stack had been manually modified. A DevOps engineer needs a solution to detect manual modifications to resources and alert the DevOps manager. Which solution meets these requirements with minimal operational overhead?
- A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps manager’s email address to the SNS topic. Create an AWS Config managed rule with identifier CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an Amazon EventBridge rule that invokes on NON_COMPLIANT resource state. Set the SNS topic as the rule target. ✓
- B. Tag all CloudFormation resources with a specific tag. Use the AWS Config Rules Development Kit library (RDKlib) to create a custom AWS Config rule that checks for changes to all tagged resources. Configure the custom rule to mark any change to tagged resources as NON_COMPLIANT when CloudFormation did not perform the change. Create an Amazon EventBridge rule that invokes on NON_COMPLIANT resource state. Create an AWS Lambda function to send an email to the DevOps manager. Set the Lambda function as the rule target.
- C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps manager’s email address to the SNS topic. Create an AWS Config managed rule with identifier CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an Amazon EventBridge rule that invokes on COMPLIANT resource state. Set the SNS topic as the rule target.
- D. Create an AWS Config managed rule with identifier CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an Amazon EventBridge rule that invokes on NON_COMPLIANT resource state. Create an AWS Lambda function to send an email to the DevOps manager. Set the Lambda function as the rule target.
Correct Answer: A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps manager’s email address to the SNS topic. Create an AWS Config managed rule with identifier CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an Amazon EventBridge rule that invokes on NON_COMPLIANT resource state. Set the SNS topic as the rule target.
Explanation
The AWS Config managed rule CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK automatically detects drift between actual CloudFormation stack resources and their expected template-defined state. When drift is detected, resource status becomes NON_COMPLIANT. Amazon EventBridge can natively capture AWS Config compliance events and trigger rules to deliver alerts to Amazon SNS topics without requiring custom code or complex configuration. This solution leverages fully managed services with zero development effort and lowest operational overhead. Option B introduces unnecessary custom rule development and Lambda logic; Option C monitors COMPLIANT state, which contradicts the requirement; Option D omits SNS and requires maintaining a Lambda function for email delivery, increasing complexity.