Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 183 discussion

Answer is B. A new AWS Config rule is deployed in the account after you enable AWS Security Hub. The AWS Config rule reacts to resource configuration and compliance changes and send these change items to AWS CloudWatch. When AWS CloudWatch receives the compliance change, a CloudWatch event rule triggers the AWS Lambda function.

Correct answer: B "..AWS Config supports IAM users, groups, and roles, as well as policies managed by you. A versioned history of AWS managed policies is already available in the IAM console. Inline policies associated with IAM entities are tracked as part of the configuration of those IAM entities.." "..Authoring a custom AWS Config rule to check that a single approved IAM policy is in use I will now set up a new AWS Config rule that checks whether all IAM users (with the exception of a single user, such as an admin user) in my account are using only the MyIAMUserPolicy policy created and managed by me, and are not using any other policy. You would set up this type of rule to ensure all “standard” IAM users have the same level of permissions that you are managing through MyIAMUserPolicy..." Reference: https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-config/#:~:text=AWS%20Config%20supports%20IAM%20users,configuration%20of%20those%20IAM%20entities.

WTF! The operations manager needs a way to easily identify the users with attached policies. What should a solutions architect do to accomplish this? Operations manager need to find what has already happened first you guys all aswere for the next step to prevent the action! We need to first find so A is the correct answer.

B is the answer

https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html

https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html

B. Create an AWS Config rule to run daily.

B https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-config/

Did anyone notice that they are asking for the list of users who have been not following that standard. That means I need to find the users to whom the policy is already directly applied. All the answers(Except C) is valid if we need to find the users if a policy is direc.tly applied to them in future. So the answers A,B & D talks about furture incident however answer C talks about finding the users for which incident is already happened. C should be the ans.

Answer is B. https://aws.amazon.com/blogs/aws/aws-config-rules-dynamic-compliance-checking-for-cloud-resources/

I am going with B , It seems to be the correct answer.

I'm confused about website's answer C. But maybe this link helps: https://aws.amazon.com/blogs/security/how-to-receive-alerts-when-your-iam-configuration-changes/

https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-config/ Answer is B

AWS config for sure iam-user-no-policies-check is one of the config rules

Ans=B https://docs.aws.amazon.com/config/latest/developerguide/iam-user-no-policies-check.html

Why the website Say C ? Any one explain ? If they put w/o explaining - it really confuses all of us - Please respond

AWS Config reports on what has changed, whereas CloudTrail reports on who made the change, when, and from which location. AWS Config is focused on the configuration of your AWS resources and reports with detailed snapshots on how your resources have changed. CloudTrail focuses on the events, or API calls, that drive those changes. It focuses on the user, application, and activity performed on the system. Answer is A