Explanation:
The correct choice is AWS Config. It continuously records configuration state, relationships, and changes for supported AWS resources, and it enables rule-based evaluation and timeline views that satisfy audit and compliance requirements over time. Amazon GuardDuty is a managed threat detection service that analyzes telemetry for malicious or unauthorized behavior, but it does not capture or store configuration histories. AWS Security Hub centralizes and correlates security findings from multiple sources, yet it is not a configuration recorder and cannot provide resource configuration timelines. Amazon CloudWatch provides metrics, logs, dashboards, and alarms. While events can react to changes, it does not maintain comprehensive historical configuration state for resources. Remember: CloudTrail answers who did what via API calls, while AWS Config answers what the resource looked like and when it changed. Do not confuse this with GuardDuty (threat detection) or Security Hub (findings aggregation).
Ultimate access to all questions.
A regional healthcare analytics firm, Orion BioAnalytics, needs to observe API activity across multiple AWS accounts to detect suspicious access attempts. They must also preserve an auditable history of how AWS resource configurations change over time to meet regulatory requirements. The team has already enabled an organization trail in AWS CloudTrail and is using the 90-day event history. Which additional AWS service should they deploy to continuously record and evaluate configuration changes to their resources?
A
Amazon GuardDuty
B
AWS Security Hub
C
AWS Config
D
Amazon CloudWatch
No comments yet.