Answer-first summary for fast verification
Answer: Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the --no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.
The correct option is C. AWS Config is specifically designed for compliance and auditing of AWS resources, making it a natural fit for identifying noncompliant resources. Security Hub integrates with AWS Config, allowing you to centralize security findings and compliance data. By enabling AWS Config in all accounts and setting up managed and custom rules, you can continuously monitor compliance. Automatic remediation can be achieved using Config Conformance Packs, and a centralized dashboard in AWS Security Hub allows for efficient tracking and timestamping of noncompliant events. This solution meets the criteria of minimal development overhead while providing comprehensive monitoring and remediation.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is managing multiple AWS accounts for different application teams, consolidated under AWS Organizations. They aim to enforce security standards and prevent noncompliance due to misconfigurations by using AWS CloudFormation. The production support team can modify resources directly via the AWS Management Console. A DevOps engineer needs to implement a solution that identifies and automatically remediates any AWS service misconfigurations leading to noncompliance within 15 minutes, and also tracks these issues in a centralized dashboard with precise timestamps. Which solution requires the least development effort to achieve these goals?
A
Use CloudFormation drift detection to identify noncompliant resources. Use drift detection events from CloudFormation to invoke an AWS Lambda function for remediation. Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group. Configure an Amazon CloudWatch dashboard to use the log group for tracking.
B
Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resources. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.
C
Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the --no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.
D
Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logs filters for drift detection. Use Amazon EventBridge to invoke the Lambda function for remediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up a dashboard on OpenSearch Service for tracking.