AWS Certified CloudOps Engineer – Associate

Get started today

Ultimate access to all questions.

Explanation:

AWS CloudFormation Drift Detection allows you to identify which stack resources have been changed outside of CloudFormation management. By using Amazon EventBridge to trigger a Lambda function that initiates a drift detection check, and then using SNS for notification, the engineer can automate the monitoring of manual policy changes (drift) with minimal administrative effort.

Explanation:

Comments (0)

No comments yet.

Question #34\nA company has multiple AWS accounts. A CloudOps engineer uses a sandbox account to create and verify IAM policies for use in a production account. The CloudOps engineer uses AWS CloudFormation to deploy policies to the sandbox account for testing. When tests pass, the CloudOps engineer deploys the policies to\nproduction. The CloudOps engineer has configured AWS CloudTrail in both the sandbox account and the production account.\nThe CloudOps engineer wants to detect any changes to the IAM policies after the policies have been deployed by CloudFormation. The CloudOps engineer must receive notifications for any changes to the policies.\nWhich solution will meet these requirements with the LEAST administrative effort?

Exam-Like

Last updated: May 9, 2026 at 17:24

Configure CloudTrail to send email notifications to the CloudOps engineer when CloudTrail detects changes to the IAM policies.

Create an Amazon EventBridge rule to invoke an AWS Lambda function to check the CloudFormation stack for drift. Configure the function to use Amazon Simple Notification Service (Amazon SNS) to notify the CloudOps engineer if the function detects any drift.

Use AWS Identity and Access Management Access Analyzer to generate a policy based on CloudTrail activity for the IAM role that is attached to the IAM policies in the production account. Compare the results to the IAM policies that are in the sandbox account. Send a notification to the CloudOps engineer if the policies are different.

Store the IAM policies as a JSON document in an Amazon S3 bucket. Use an AWS Lambda function to periodically compare the IAM policies with the JSON document that is stored in the S3 bucket.