ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 425 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 425
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company plans to move regulated and security-sensitive businesses to AWS. The Security team is developing a framework to validate the adoption of AWS best practices and industry-recognized compliance standards. The AWS Management Console is the preferred method for teams to provision resources.
Which strategies should a Solutions Architect use to meet the business requirements and continuously assess, audit, and monitor the configurations of AWS resources? (Choose two.)

  • A. Use AWS Config rules to periodically audit changes to AWS resources and monitor the compliance of the configuration. Develop AWS Config custom rules using AWS Lambda to establish a test-driven development approach, and further automate the evaluation of configuration changes against the required controls.
  • B. Use Amazon CloudWatch Logs agent to collect all the AWS SDK logs. Search the log data using a pre-defined set of filter patterns that matches mutating API calls. Send notifications using Amazon CloudWatch alarms when unintended changes are performed. Archive log data by using a batch export to Amazon S3 and then Amazon Glacier for a long-term retention and auditability.
  • C. Use AWS CloudTrail events to assess management activities of all AWS accounts. Ensure that CloudTrail is enabled in all accounts and available AWS services. Enable trails, encrypt CloudTrail event log files with an AWS KMS key, and monitor recorded activities with CloudWatch Logs.
  • D. Use the Amazon CloudWatch Events near-real-time capabilities to monitor system events patterns, and trigger AWS Lambda functions to automatically revert non-authorized changes in AWS resources. Also, target Amazon SNS topics to enable notifications and improve the response time of incident responses.
  • E. Use CloudTrail integration with Amazon SNS to automatically notify unauthorized API activities. Ensure that CloudTrail is enabled in all accounts and available AWS services. Evaluate the usage of Lambda functions to automatically revert non-authorized changes in AWS resources.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html https://docs.aws.amazon.com/en_pv/awscloudtrail/latest/userguide/best-practices-security.html
by awsec2 at Sept. 12, 2019, 9:44 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Moon
Highly Voted 3 years, 10 months ago
My answers are "A & C". The key point in the question is that it request to "asses, audit & monitor". Therefore, any answer that contains terminations for instances/services shall be eliminated. So, "D & E": are out because they are taking actions. "B": does not make sense! A: Config rules, are very useful tool for compliancy. C: Cloud Trail is also great tool for auditing.
upvoted 42 times
tan9
3 years, 10 months ago
A&C. I have the same viewpoint to Moon. Option C encrypted CloudTrail logs in addition to what option E do, this is considered as a best practice here: https://docs.aws.amazon.com/en_pv/awscloudtrail/latest/userguide/best-practices-security.html
upvoted 2 times
...
pixepe
2 years, 12 months ago
Correct - A,C. E is incorrect - As cloudtrail can't publish on sns topic on unauthorized usage. Per AWS, "You can be notified when CloudTrail publishes new log files to your Amazon S3 bucket. You manage notifications using Amazon Simple Notification Service (Amazon SNS)." https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
upvoted 1 times
...
9Ow30
3 years, 10 months ago
Yes A and C are good. Just tell what is asked and nothing extra. So we can ignore the action answers.
upvoted 5 times
...
...
donathon
Highly Voted 3 years, 10 months ago
AE B\D: Cloudwatch cannot monitor API changes. C: Both C and E is doable but I feel E is better because it revert changes and hence ensures the environment is always in compliance. https://aws.amazon.com/blogs/security/how-to-audit-your-aws-resources-for-security-compliance-by-using-custom-aws-config-rules/ https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-cloudtrail-changes https://aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to-your-amazon-vpc-security-groups/
upvoted 11 times
PacoDerek
3 years, 10 months ago
i believe A,C. ans E , no such operation "Evaluate the usage of Lambda functions to automatically revert non-authorized changes in AWS resources". and since aws config already restrict the operation, it can't be any non-authorized changes
upvoted 4 times
...
newme
3 years, 9 months ago
B\D: Cloudwatch cannot monitor API changes. Good point
upvoted 1 times
...
DerekKey
3 years, 9 months ago
donathon - you are wrong - Cloudwatch can monitor API changes using CloudTrail integration (you enable it on each trail)
upvoted 1 times
...
DashL
3 years, 9 months ago
Why do you want to revert the changes back (as mentioned in E) when the requirement is only to " continuously assess, audit, and monitor"?
upvoted 3 times
...
...
SkyZeroZx
Most Recent 2 years, 1 month ago
Selected Answer: AC
A && C Key words - 'continuously' assess, audit, and monitor the 'configurations' A is probably correct - although rules should be triggered on resource configuration change not periodically B is wrong - no explanation needed C is correct - you can search trails history D is wrong - requires CloudTrail trails with CloudWatch integration not mentioned here E is wrong - it says unauthorized API activities - they are not looking for such functionality
upvoted 1 times
...
mrgreatness
2 years, 9 months ago
A and C 100% -- I built a solution like this.
upvoted 1 times
...
cldy
3 years, 8 months ago
A. Use AWS Config rules to periodically audit changes to AWS resources and monitor the compliance of the configuration. Develop AWS Config custom rules using AWS Lambda to establish a test-driven development approach, and further automate the evaluation of configuration changes against the required controls. C. Use AWS CloudTrail events to assess management activities of all AWS accounts. Ensure that CloudTrail is enabled in all accounts and available AWS services. Enable trails, encrypt CloudTrail event log files with an AWS KMS key, and monitor recorded activities with CloudWatch Logs.
upvoted 2 times
...
AzureDP900
3 years, 8 months ago
AC is right
upvoted 1 times
...
andylogan
3 years, 9 months ago
It's A C
upvoted 1 times
...
student22
3 years, 9 months ago
A,C Why C instead of D? Because here no requirement to take reactive actions, and C secures the logs better.
upvoted 1 times
...
DerekKey
3 years, 9 months ago
A nad C Key words - 'continuously' assess, audit, and monitor the 'configurations' A is probably correct - although rules should be triggered on resource configuration change not periodically B is wrong - no explanation needed C is correct - you can search trails history D is wrong - requires CloudTrail trails with CloudWatch integration not mentioned here E is wrong - it says unauthorized API activities - they are not looking for such functionality
upvoted 3 times
...
student2020
3 years, 9 months ago
Answer C has this last statement "and monitor recorded activities with CloudWatch Logs". CloudWatch logs does not record activities from CloudTrail. I think this eliminates C.
upvoted 1 times
student2020
3 years, 9 months ago
Edit - After testing in AWS console, you can actually and monitor recorded activities with CloudWatch Logs. This answer is correct. A and C seem to be the best options..
upvoted 1 times
...
...
WhyIronMan
3 years, 9 months ago
I'll go with A,C
upvoted 2 times
...
Waiweng
3 years, 9 months ago
A and C
upvoted 3 times
...
alisyech
3 years, 9 months ago
A & C for sure
upvoted 1 times
...
wind
3 years, 9 months ago
go with AC.
upvoted 1 times
...
Kian1
3 years, 9 months ago
will go with A,C
upvoted 2 times
...
Ebi
3 years, 9 months ago
AC is my choice
upvoted 3 times
...
sanjaym
3 years, 9 months ago
I'll go with AC. Initially I thought AE. C and E both correct but C is more relevant as E is reverting changes which is not in requirement.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel