A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance. What combination of actions should the Engineer take? (Choose two.)
A.
Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
B.
Create an AWS Config configuration item for each VPC in the company AWS account.
C.
Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
D.
Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
E.
Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
D & E;
three steps are necessary (https://aws.amazon.com/blogs/security/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-aws-config-rules/)
1. Create a Lambda function containing the logic to determine if a resource is compliant or noncompliant.
2. Create a custom Config rule that uses the Lambda function created in Step 1 as the source.
3. Create a Lambda function that polls Config to detect noncompliant resources on a daily basis and send notifications via Amazon SNS.
A -> 1
D -> 3
E -> 2 & 1
since E "associate it with an AWS Lambda function that contains the evaluating logic" covers A, ans is D&E
Grrr my bad. There should be two Lambda function in the process. therefore it seems A&E in first look. However my first answer is right. Both A and Lambda function in E refer to Step 1. There is a mechanism to read config rule poll as input and create notifications accordingly. There is no such lambda functions in the answers. But D can work for this. Final decision: D&E
A & C are correct for sure. The link shows an exact situation.
1) Create a Lambda function containing the logic to determine if VPC is enable or disable (Answer A)
2) create a custom Config rule and use the Lambda function (ARN) as the source (Answer C)
3) Create a Lambda function that polls Config to detect noncompliant resources on a daily basis and send notifications via Amazon SNS
https://medium.com/mudita-misra/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-aws-config-rules-2e53b09006de
It is worth to mention that there's a managed rule for AWS Config called "vpc-flow-logs-enabled" (Resource Types: AWS::EC2::VPC), and in real life you do not need to create your own logic function to check on this configuration.
But in this question, it was not mentioned and the best options out of the provided 5 are A and E.
Seems question is outdated. AWS Config had a managed rule checking if all VPC flow log has been enabled. https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html
AE
Option A is correct because the Security Engineer can create an AWS Lambda function that uses the AWS SDK to determine whether Flow Logs are enabled for a given VPC by checking the status of the Flow Logs on the VPC. The function can be triggered on a schedule using a CloudWatch Event rule.
Option E is correct because the Security Engineer can create an AWS Config custom rule that uses the same AWS Lambda function created in Option A. The custom rule can evaluate each VPC in the account and check the status of the Flow Logs on the VPC. If the Flow Logs are not enabled, the rule can return a noncompliant result. The Security Engineer can then use AWS Config to aggregate and view the compliance status of all VPCs in the account
This is a two step solution. First we need to create the Lambda function with the logic to evaluate the VPC flow logs. Next we need to create a Custom Config rule and associate it with the Lambda function. Therefore the answer is A and E.
https://aws.amazon.com/blogs/mt/how-to-enable-vpc-flow-logs-automatically-using-aws-config-rules/ talks about solution without Lambda. So, Lambda can also be used instead of System manager
1.Create a Lambda function containing the logic to determine if a resource is compliant or noncompliant.
2.Create a custom Config rule that uses the Lambda function created in Step 1 as the source.
3.Create a Lambda function that polls Config to detect noncompliant resources on a daily basis and send notifications via Amazon SNS.
https://aws.amazon.com/blogs/security/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-aws-config-rules/
Surely E which includes the action in A with D is a kind of remediation.
However, there is a better answer to this quest now. There is a managed rule "vpc-flow-log-enabled" and an AWS managed document "AWS-EnableVPCFlowLogs"
I was confused at the highest voted one, but from what others say in the comments ,it seems like since they answered the answered were mixed up and switched places,
AE is the right for me
First of all the question doesn't mention about alerting but only auditing. So option D CloudWatch doesn't come into picture.
A & E should be the answers if we follow this blog.
https://aws.amazon.com/blogs/security/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-aws-config-rules/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Aws2222
Highly Voted 3 years, 6 months agoAws2222
3 years, 6 months agoAws2222
3 years, 6 months agojosellama2000
Highly Voted 3 years, 7 months agoexams
3 years, 7 months agoSmartphone
3 years, 7 months agochaudh
3 years, 7 months agos3an
3 years, 7 months agoRaphaello
Most Recent 1 year, 2 months agoRaphaello
1 year, 2 months agoShinytopology
1 year, 10 months agoyorkicurke
1 year, 4 months agoDmosh
2 years agoNikhil0222
2 years agoITGURU51
2 years agoBalki
2 years, 4 months agocloud_collector
2 years, 7 months agodcasabona
2 years, 9 months agogofavad926
2 years, 10 months agojackfei
2 years, 10 months agoTigerInTheCloud
3 years agoceros399
3 years, 1 month agoMoreOps
3 years, 2 months agolotfi50
3 years, 3 months agosam_live
3 years, 3 months ago