Q54 — AWS SAP-C02 Ch.3
Question 54 of 75 | ← Chapter 3
Q279. A company has set up its entire infrastructure on AWS. The company uses AmazonEC2instances to host its ecommerce website and uses Amazon S3 to store static data. Three engineers at the company handle the cloud administration and development through one AWS account. Occasionally an engineer alters an EC2 security group configuration of another engineer and causes noncompliance issues in the environment. A solutions architect must set up a system that tracks changes that the engineers make. The system must send alerts when the engineers make noncompliant changes to the security settings for the EC2instances. What is the FASTEST way for the solutions architect to meet these requirements?
- A. Set up AWS Organizations for the company. Apply SCPs to govern and track noncompiant security group changes that are made to the AWS account
- B. Enable AWS CloudTrail to capture the changes to EC2 security groups Enable Amazon CloudWatch rules to provide alerts when noncompliant security settings are detected
- C. Enable SCPs on the AWS account to provide alerts when noncompliant security group changes are made to the environment
- D. Enable AWS Config on the EC2 security groups to track any noncompliant changes Send the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic ✓
Correct Answer: D. Enable AWS Config on the EC2 security groups to track any noncompliant changes Send the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic
Explanation
The solution that meets the requirements to set up a system that tracks changes by engineers and sends alerts when noncompliant changes are made to EC2 security groups is D. D. Enable AWS Config on the EC2 security groups to track any noncompliant changes. Send the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic. This solution involves enabling AWS Config on EC2 security groups to track any noncompliant changes made by engineers. When a noncompliant change is detected, AWS Config will send an alert through an Amazon SNS topic. This approach can be implemented quickly without additional setup, making it the fastest way to meet the requirements. A, B, and C are not optimal solutions: A. Set up AWS Organizations for the company. Apply SCPs to govern and track noncompliant security group changes that are made to the AWS account. This solution involves setting up AWS Organizations and applying Service Control Policies (SCPs) to govern and track noncompliant security group changes made to the AWS account. While this approach can work, it requires additional setup, which may take time to implement. B. Enable AWS CloudTrail to capture the changes to EC2 security groups. Enable Amazon CloudWatch rules to provide alerts when noncompliant security settings are detected. This solution involves enabling AWS CloudTrail to capture changes made to EC2 security groups and using Amazon CloudWatch rules to send alerts when noncompliant security settings are detected. While this approach can work, it may take longer to set up than enabling AWS Config. C. Enable SCPs on the AWS account to provide alerts when noncompliant security group changes are made to the environment. This solution recommends enabling SCPs on the AWS account to provide alerts when noncompliant security group changes are made to the environment. However, SCPs only control what resources within an AWS account can be accessed, not track the changes made to them.