AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company recently migrated its entire IT environment to the AWS Cloud. The company discovers that users are provisioning oversized Amazon EC2 instances and modifying security group rules without using the appropriate change control process. A solutions architect must devise a strategy to track and audit these inventory and configuration changes.
Which actions should the solutions architect take to meet these requirements? (Choose two.)
Other
Community
UAnonymous
A
Enable AWS CloudTrail and use it for auditing.
B
Use data lifecycle policies for the Amazon EC2 instances.
C
Enable AWS Trusted Advisor and reference the security dashboard.
D
Enable AWS Config and create rules for auditing and compliance purposes.
E
Restore previous resource configurations with an AWS CloudFormation template.
Explanation:
Explanation
Correct Answers: A and D
Why A (AWS CloudTrail) is correct:
- AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
- It logs all API calls made in your AWS account, including who made the call, when it was made, and what resources were affected.
- For tracking EC2 instance provisioning and security group modifications, CloudTrail provides detailed audit trails of these API calls (e.g.,
RunInstances,AuthorizeSecurityGroupIngress,ModifySecurityGroupRules).
Why D (AWS Config) is correct:
- AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- It helps track configuration changes over time and provides a detailed inventory of your AWS resources.
- You can create Config rules to evaluate resource configurations for compliance with internal policies (e.g., checking for oversized EC2 instances or unauthorized security group changes).
Why the other options are incorrect:
B (Data lifecycle policies):
- Data lifecycle policies are for managing data storage lifecycle (like Amazon S3 lifecycle policies), not for tracking configuration changes or auditing user actions.
C (AWS Trusted Advisor):
- AWS Trusted Advisor provides best practice recommendations across cost optimization, security, fault tolerance, and performance, but it doesn't provide detailed audit trails of user actions or configuration changes.
- While it has a security dashboard, it's not designed for tracking specific user provisioning activities or configuration modifications.
E (Restore with CloudFormation):
- AWS CloudFormation is for infrastructure as code and deployment, not for auditing or tracking changes.
- While you could use CloudFormation to restore configurations, this doesn't address the requirement to "track and audit" changes - it only addresses remediation after the fact.
Key AWS Services for Auditing:
- AWS CloudTrail - For API call logging and user activity tracking
- AWS Config - For resource configuration tracking and compliance auditing
- Amazon CloudWatch - For monitoring and alerting (could complement the solution)
- AWS Security Hub - For centralized security findings (aggregates from multiple services)
Together, CloudTrail and Config provide comprehensive visibility into both user activities (who did what) and resource configurations (what changed).
Comments
Loading comments...