Answer-first summary for fast verification
Answer: Create an Amazon EventBridge rule to invoke an AWS Lambda function to check the CloudFormation stack for drift. Configure the function to use Amazon Simple Notification Service (Amazon SNS) to notify the CloudOps engineer if the function detects any drift.
EventBridge paired with Lambda for CloudFormation drift detection is a highly automated and low administrative effort way to track changes (drift) in resources managed by CloudFormation, including IAM policies. Using Amazon SNS provides the required notification functionality.
Author: Ritesh Yadav
Ultimate access to all questions.
production. The CloudOps engineer has configured AWS CloudTrail in both the sandbox account and the production account.
The CloudOps engineer wants to detect any changes to the IAM policies after the policies have been deployed by CloudFormation. The CloudOps engineer must receive notifications for any changes to the policies.
Which solution will meet these requirements with the LEAST administrative effort?
A
Configure CloudTrail to send email notifications to the CloudOps engineer when CloudTrail detects changes to the IAM policies.
B
Create an Amazon EventBridge rule to invoke an AWS Lambda function to check the CloudFormation stack for drift. Configure the function to use Amazon Simple Notification Service (Amazon SNS) to notify the CloudOps engineer if the function detects any drift.
C
Use AWS Identity and Access Management Access Analyzer to generate a policy based on CloudTrail activity for the IAM role that is attached to the IAM policies in the production account. Compare the results to the IAM policies that are in the sandbox account. Send a notification to the CloudOps engineer if the policies are different.
D
Store the IAM policies as a JSON document in an Amazon S3 bucket. Use an AWS Lambda function to periodically compare the IAM policies with the JSON document that is stored in the S3 bucket.
No comments yet.