Q90 — AWS SCS-C02 Ch.1

Question 90 of 100 | ← Chapter 1

A company is implementing new compliance requirements to meet customer needs.According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meetthese requirements in the MOST operationally efficient manner?

Correct Answer: A. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS)topicthat includes an AWS Lambda function and an email delivery target as subscribers.Configure the Lambda function to delete the unencrypted resource.

Explanation

AWS Config提供托管规则持续评估AWS资源配置是否符合策略。当检测到未加密的RDS存储时,自动触发修复动作,通过SNS主题发送警报并调用Lambda终止资源。EventBridge基于事件触发机制更适合响应特定事件而非持续合规检查。AWS Config的自动修复功能(而非手动)确保实时响应,满足完全自动化需求。选项C/D依赖事件模式可能遗漏配置变更后的加密状态检测,而选项B的手动干预无法实现高效运维。AWS官方文档指出AWS Config的自动补救功能适用于实时合规治理场景。