Exam ANS-C00 topic 1 question 60 discussion

Should it be A,B & D

Recently, AWS Config announced support for AWS CloudFormation stacks. You can now start tracking the current and historical configuration of your CloudFormation stacks, and get notified via Amazon SNS when your stack configuration changes. You can also use a managed AWS Config rule to check whether your CloudFormation stacks are sending event notifications to an SNS topic. https://aws.amazon.com/blogs/mt/how-to-track-configuration-changes-to-cloudformation-stacks-using-aws-config/ Correct answer is A,B,E !

A,B,E https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-aws-cloudformation-drift-detection-in-a-multi-region-multi-account-organization.html The current guidance will help organizations achieve the goal by using a combination of the following services: AWS Config rule Amazon CloudWatch rule AWS Identity and Access Management (IAM) AWS Lambda Amazon Simple Notification Service (Amazon SNS)

Should be ABE

My thinking is why use lambda to trigger SNS while it is already integrated with CloudFormation to send notifications. In my understanding lambda is used for remediation (to configure automatic restore of previous configuration). It does not mean Lambda is a wrong answer, it is certainly doable but what is the critical need? Here is the best use case of lambda. https://aws.amazon.com/blogs/mt/implement-automatic-drift-remediation-for-aws-cloudformation-using-amazon-cloudwatch-and-aws-lambda/ So I would go for A B E

A,B,E https://aws.amazon.com/blogs/mt/how-to-track-configuration-changes-to-cloudformation-stacks-using-aws-config/

As per bellow comment

BCD The question is about if a change is made by using CloudFormation or not. If it's not, an alert will be sent out. If an EC2 instance was created, CloudWatch captures the change, triggers Lambda, then send out SNS to interesting parties. I don't see any point to use AWS Config.

ABE: https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html

Answer is A, B and E. This question is about alerting. There is no mention of remediation etc. There is no need for Lambda as Config will use SNS directly to send an alert. Cloudformation is required along with Config and SNS as the combiation of services. https://aws.amazon.com/blogs/mt/how-to-track-configuration-changes-to-cloudformation-stacks-using-aws-config/

I would say ABD as the correct answers: A) AWS Config tracks changes B) Automates based on the input from AWS Config D) Sends Alerts https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html

It is B, D and F. These functions represent the “remediation” component of the solution. If you need to ensure that certain aspects of your stack resources are kept in compliance, you should write and include this functionality in your Lambda function. For example, the preceding two functions defined serve only to keep AWS managed policies and customer managed policies in compliance, respectively. If another aspect of the IAM role were to change, such as the role description, our Lambda function may correctly identify this configuration drift, but would not remediate this difference. The Lambda function in this post only contains functionality to detect configuration drift and return the policies attached to IAM roles to compliance. Likewise, additional resources and features such as Amazon SNS notifications and optional noncompliance can be included.

It should be B, D & E. https://aws.amazon.com/pt/blogs/mt/implement-automatic-drift-remediation-for-aws-cloudformation-using-amazon-cloudwatch-and-aws-lambda/ These functions represent the “remediation” component of the solution. If you need to ensure that certain aspects of your stack resources are kept in compliance, you should write and include this functionality in your Lambda function. For example, the preceding two functions defined serve only to keep AWS managed policies and customer managed policies in compliance, respectively. If another aspect of the IAM role were to change, such as the role description, our Lambda function may correctly identify this configuration drift, but would not remediate this difference. The Lambda function in this post only contains functionality to detect configuration drift and return the policies attached to IAM roles to compliance. Likewise, additional resources and features such as Amazon SNS notifications and optional noncompliance can be included.

The answer should be AB&D The question doesn't mention Cloudwatch event, without event you need a Lambda function as a glue between AWS Config and SNS The overall data flow: change made outside CF -> trigger the managed rule "cloudformation-stack-drift-detection-check" in AWS Config -> trigger your Lambda function -> your function send alarts via SNS IAM is a fundamental piece in all AWS services, it is should be used by default

Answer: A,B,F A - correct - AWS to cloudformation-stack-drift-detection-check to detect config changes, trigger by [specified] resource changes. B - correct - to receive and publish the notification C - incorrect - cloudwatch metrics are used to monitor performance of systems D - incorrect - no need for Lambda. Use Lambda when developing custom evaluation logic - AWS Config has a managed rule for drift detection (2017, before exam published) E - incorrect - no need to use the service "directly". However AWS Config does call the appropriate CF API F - correct - ASSUMING its a typo. IAM permissions required for AWS Config. (Should be Identity not Identify as eveyrone knows) If F is indeed Identify, then obviously wrong, then maybe A,B,E (implicit use of CF Detect Drift API)

Not sure if people even read the question... A. Yes. B. Yes. C. No. Have you actually used CW-Metrics? D. Yes. E. No > its already in use. For example, setting an SNS notification when deploying an CFN template is not called CloudFormation SNS notification. If the question or answer states the specific terminology such as CloudFormation drift detection - then obviously the sub-feature is valid. F. There is no service called 'AWS Indentify'. Answer. ABD.

THANKS FOR FEEDBACK on this one...tricky. ABE