Explanation:
CloudFormation Drift Detection is the most efficient way to identify if resources (like IAM policies) have been manually changed or have "drifted" from their expected template configuration. Using an EventBridge rule to trigger a Lambda function that performs a DetectStackDrift action and then notifies via Amazon SNS is the standard automated approach for this requirement. This requires less administrative effort than manual comparisons or custom logic for S3/Access Analyzer solutions.
Ultimate access to all questions.
Question-34: The CloudOps engineer has configured AWS CloudTrail in both the sandbox account and the production account. The CloudOps engineer wants to detect any changes to the IAM policies after the policies have been deployed by CloudFormation. The CloudOps engineer must receive notifications for any changes to the policies. Which solution will meet these requirements with the LEAST administrative effort?
A
Configure CloudTrail to send email notifications to the CloudOps engineer when CloudTrail detects changes to the IAM policies.
B
Create an Amazon EventBridge rule to invoke an AWS Lambda function to check the CloudFormation stack for drift. Configure the function to use Amazon Simple Notification Service (Amazon SNS) to notify the CloudOps engineer if the function detects any drift.
C
Use AWS Identity and Access Management Access Analyzer to generate a policy based on CloudTrail activity for the IAM role that is attached to the IAM policies in the production account. Compare the results to the IAM policies that are in the sandbox account. Send a notification to the CloudOps engineer if the policies are different.
D
Store the IAM policies as a JSON document in an Amazon S3 bucket. Use an AWS Lambda function to periodically compare the IAM policies with the JSON document that is stored in the S3 bucket.
E
N/A
F
N/A
No comments yet.