Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 207 discussion

I recommend checking out this blog which utilizes AWS Config and discusses Edenbridge. Here is the link: https://aws.amazon.com/blogs/mt/implementing-an-alarm-to-automatically-detect-drift-in-aws-cloudformation-stacks/"

Given the options and the requirement for immediate notification upon drift detection, Option D is the most appropriate solution. It leverages AWS Config to continuously monitor and evaluate the configurations of AWS resources, including CloudFormation stacks. When AWS Config detects a drift from the desired configuration, it can trigger an EventBridge rule, which in turn can notify the interested parties via the SNS topic. This approach does not require additional custom logic to check for drift results, as AWS Config handles the evaluation and notification process based on configuration changes.

D: AWS Config’s cloudformation-stack-drift-detection-check is a managed rule, but it runs on a periodic basis and may not provide immediate detection or notification. It also may not be as responsive as a custom Lambda-based solution.

The solution that will meet the requirements of receiving a notification as soon as possible when drift is detected in the specific CloudFormation stack configuration is: B. Create a second Lambda function to query the CloudFormation API for the drift detection results for the stack. Configure the second Lambda function to publish a message to the SNS topic if drift is detected. Adjust the existing EventBridge rule to also target the second Lambda function. Option D (Using AWS Config) would introduce additional complexity and potential delays, as AWS Config periodically evaluates resource configurations and may not provide immediate notifications upon drift detection. By creating a separate Lambda function dedicated to monitoring drift detection results and publishing notifications to the existing SNS topic, you can ensure timely and reliable notifications while maintaining a modular and scalable architecture.

answer D AWS Config Integration: AWS Config is specifically designed to monitor and detect configuration changes and drifts in AWS resources, including CloudFormation stacks. Using AWS Config's built-in cloudformation-stack-drift-detection-check managed rule ensures comprehensive and reliable drift detection for CloudFormation stacks. Event-Driven Architecture: Creating an EventBridge rule that reacts to a compliance change event for the CloudFormation stack allows you to trigger an alert as soon as drift is detected. This event-driven approach ensures timely detection and alerting for CloudFormation stack drift. SNS Notification: By configuring the SNS topic as a target of the EventBridge rule, you can easily send notifications/alerts to various endpoints, including email, SMS, or other AWS services, ensuring immediate alerting when drift is detected.

D, Use the cloudformation-stack-drift-detection-check managed rule B uses scheduled rule will not notify as soon as possible as it runs hourly

D woudl be suitable - https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html B would not work as it would still only be triggered once per hour as is using the same event bridge rule

D refer this: https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html

The minimum interval for the `cloudformation-stack-drift-detection-check` managed rule in AWS config is 1 hour and does not meet the following requirements. `as soon as possible when drift is detected`

B is a suitable solution for meeting the requirements: This solution provides a more direct and responsive approach. The other options involve additional services like GuardDuty (Option C), which is not designed for CloudFormation drift detection, or AWS Config with managed rules (Option D), which may introduce unnecessary complexity for this specific scenario. Option A doesn't provide a straightforward way to react to drift detection events.

Leverages existing infrastructure: This approach utilizes the existing EventBridge rule and SNS topic, avoiding the need for additional resources or complex configurations. Immediate notification: Since the EventBridge rule already triggers the Lambda function every hour, adding the SNS topic as a target ensures drift detection results are published directly to the topic for immediate notification. Filtering for specific stack: Implementing an SNS subscription filter policy ensures you only receive notifications for the specific CloudFormation stack you're interested in, avoiding irrelevant noise.

B: is correct A: SNS topic would be trigger consistenly by the existing evenbridge, so this is incorrect C: Guarduty is for threat detection, not this D: irrelevant, the question requires using ACF drif detection, not AWS config for drift detection

D. AWS Config

B is the most appropriate solution for this scenario. A is incorrect because although it involves configuring the existing EventBridge rule to target the SNS topic and using an SNS subscription filter policy, it does not involve querying the CloudFormation API for drift detection results. C is incorrect because it involves using Amazon GuardDuty, which is not specifically designed for CloudFormation drift detection. D is incorrect because although it involves using AWS Config and EventBridge to react to compliance change events, it does not directly address CloudFormation drift detection. With CloudWatch Events (now a part of EventBridge) https://aws.amazon.com/fr/blogs/mt/implement-automatic-drift-remediation-for-aws-cloudformation-using-amazon-cloudwatch-and-aws-lambda/

B is wrong, you can not query the CloudFormation API