AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create an Amazon EventBridge rule to invoke an AWS Lambda function to check the CloudFormation stack for drift. Configure the function to use Amazon Simple Notification Service (Amazon SNS) to notify the CloudOps engineer if the function detects any drift.

AWS CloudFormation drift detection enables you to detect whether a stack's actual configuration differs, or has drifted, from its expected configuration. Automating this using an Amazon EventBridge rule to invoke an AWS Lambda function that checks for drift and sends alerts via Amazon SNS minimizes the administrative effort compared to manually parsing CloudTrail logs or building custom comparison logic.

Author: Ritesh Yadav

Quick Answer

Answer-first summary for fast verification

Author: Ritesh Yadav

Comments (0)

No comments yet.

Question #34 A company has multiple AWS accounts. A CloudOps engineer uses a sandbox account to create and verify IAM policies for use in a production account. The CloudOps engineer uses AWS CloudFormation to deploy policies to the sandbox account for testing. When tests pass, the CloudOps engineer deploys the policies to production. The CloudOps engineer has configured AWS CloudTrail in both the sandbox account and the production account. The CloudOps engineer wants to detect any changes to the IAM policies after the policies have been deployed by CloudFormation. The CloudOps engineer must receive notifications for any changes to the policies. Which solution will meet these requirements with the LEAST administrative effort?

Real Exam

Community

RRitesh

Last updated: April 30, 2026 at 11:35

Configure CloudTrail to send email notifications to the CloudOps engineer when CloudTrail detects changes to the IAM policies.

Create an Amazon EventBridge rule to invoke an AWS Lambda function to check the CloudFormation stack for drift. Configure the function to use Amazon Simple Notification Service (Amazon SNS) to notify the CloudOps engineer if the function detects any drift.

Use AWS Identity and Access Management Access Analyzer to generate a policy based on CloudTrail activity for the IAM role that is attached to the IAM policies in the production account. Compare the results to the IAM policies that are in the sandbox account. Send a notification to the CloudOps engineer if the policies are different.

Store the IAM policies as a JSON document in an Amazon S3 bucket. Use an AWS Lambda function to periodically compare the IAM policies with the JSON document that is stored in the S3 bucket.