A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?
A.
Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.
B.
Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API.
C.
Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to trigger an AWS Lambda function to call the StartLogging API.
D.
Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.
C is the best answer.
This URL (https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html) explain SSM runbook to automate the CREATION of CloudTrail trail alongside S3 bucket, KMS key, and assume role.
It is not about re-enabling (start logging) of an existing trail.
Its c. A is incorrect since it create a new trail. Not enabling an existing one.
This is the ssm document explained:
https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enablecloudtrail.html
Ans A:
To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
A is incorrect : To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html
It is A
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html
To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
Answer: A refer the below link
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API is the most efficient way to implement the solution. Amazon EventBridge (formerly CloudWatch Events) is a serverless event bus service that enables you to create and manage rules that match events from AWS services and other supported event sources. You can use EventBridge to capture and respond to events that take place in your AWS account. In this case, an Amazon EventBridge rule can be set up to detect when CloudTrail is turned off in multiple regions and to trigger a Lambda function that can turn it back on. This solution is scalable and efficient as it uses event-driven architecture to automate the process of turning on CloudTrail.
The question talks about "turn AWS CloudTrail back on...." The managed rule (managed rule to trigger the AWS-EnableCloudTrail remediation) that is mentioned in the option A creates a new trail. It does not re-enable the existing trail. So, A could NOT be a correct Answer.
https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enablecloudtrail.html
To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html
Based on the the provided options the solution based on the use of Lambda function would be the correct answer.
The correct answer is C.
https://aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/
A is not the correct answer because AWS Config does not have a built-in managed rule for turning CloudTrail back on in multiple regions. AWS Config does provide a way to detect whether CloudTrail is enabled or not in a particular region, but it does not have a built-in way to automatically remediate the issue. You would need to write a custom rule and lambda function or use other AWS services like EventBridge or CloudWatch Alarms.
Option A, would be less efficient than using CloudWatch Events for several reasons:
AWS Config can be used to detect when CloudTrail is turned off, it is not specifically designed for that purpose and may not be as efficient at detecting the StopLogging event as CloudWatch Events.
AWS Config requires additional setup and maintenance, such as creating and configuring rules, to detect and react to changes in CloudTrail status. This can add complexity and increase the time it takes to detect and respond to changes in CloudTrail status.
AWS Config does not have built-in integration with the StartLogging API. In order to react to the StopLogging event and turn CloudTrail back on, you would need to configure additional resources like Lambda function or custom rule to call the StartLogging API.
On the other hand, CloudWatch Events is a service that can detect changes in CloudTrail status in real-time and trigger an action in response. It integrates directly with the StartLogging API which makes it more efficient in this particular use case as it can detect the StopLogging event and react to it by calling the StartLogging API.
Answer C is MOST efficient
Config rule is unclear on remediation part + rules would not run immediately, these would run either every 24 hours or as scheduled thus not efficient.
To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
Though there are few typo in choice A still going to select A
Its not A:
AWS-EnableCloudTrail Creates an AWS CloudTrail trail and configure logging to an S3 bucket.
You dont need a new trail, you need to reenable the disabled trail.
https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enablecloudtrail.html
If you want to reenable cloud trail you need to use cloudtrail-enabled:
https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html
C is the right answer:
https://aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
babaseun
Highly Voted 3 years, 6 months agoArad
Most Recent 11 months, 3 weeks agoRaphaello
1 year, 2 months agoYR4591
1 year, 3 months agoM2ao
1 year, 7 months agoErnestokoro
1 year, 7 months agowmp7039
1 year, 10 months agoNano803
2 years, 1 month agoMehdiAmin
2 years, 2 months agoaws_SA
2 years, 2 months agoMaya77
2 years, 2 months agoSmartphone
2 years, 3 months agoarpgaur
2 years, 4 months agoboooliyooo
2 years, 4 months agoD2
2 years, 5 months agoVijiTu
2 years, 8 months agoRoot_Access
2 years, 8 months ago