Exam AWS Certified Security - Specialty topic 1 question 286 discussion

The answer is C. Can't be A: Security Hub just provides a view and isn't used for configuring findings or creating custom actions. Can't be B: Doesn't cover the requirements for monitoring and alerting Can't be D: Inspector checks for vulnerabilities, and doesn't check for compliance of CodePipeline. Answer is C:

agree it's A

I think best answer is C. Using AWS Config you can evaluate CodePipeline configured stages, and if the stage of deploying in staging env is missing, then it is NON_COMPLIANT and can trigger a notification. Option A is not entirely wrong. It is feasible, but the wording is not clear and missing EventBridge..and it is a hassle.

C - AWS Config can do that

How on earth codepipeline execution is a config change for config to detect??

C definitely, config support pipelines for stag, env etc https://aws.amazon.com/about-aws/whats-new/2018/09/aws-config-adds-support-for-aws-codepipeline/

https://docs.aws.amazon.com/codepipeline/latest/userguide/detect-state-changes-cloudwatch-events.html

C is about changes to CodePipeline Configuration Changes not about Monitoring Indiviual pipeline flow. It can be done via CloudTrail API logs though. should be A.

You can now use AWS Config to record configuration changes to AWS CodePipeline, a continuous integration and continuous delivery service. With AWS Config, you can track changes to the pipeline configuration, such as the location of the artifacts, stages, actions included in a stage, and input and output artifacts. AWS Config maintains this configuration change history and you can access it through the console or APIs. Maintaining a change history can help you address audit and compliance requirements. https://aws.amazon.com/about-aws/whats-new/2018/09/aws-config-adds-support-for-aws-codepipeline/

Option C seems to be the nest answer.

The answer is C.

I think its B Give the CDK Pipelines way of doing things a shot first: you might find it does everything you need. If you want or need more control, we recommend you drop down to using the aws-codepipeline construct library directly. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html

Agree it is C “With AWS Config, you can track changes to the pipeline configuration, such as the location of the artifacts, stages, actions included in a stage, and input and output artifacts.” https://aws.amazon.com/about-aws/whats-new/2018/09/aws-config-adds-support-for-aws-codepipeline

C - https://aws.amazon.com/about-aws/whats-new/2018/09/aws-config-adds-support-for-aws-codepipeline/

Use CloudTrail to capture API calls made by or on behalf of CodePipeline in your AWS account and deliver the log files to an Amazon S3 bucket. You can choose to have CloudWatch publish Amazon SNS notifications when new log files are delivered so you can take quick action. https://docs.aws.amazon.com/codepipeline/latest/userguide/monitoring.html

answer is A: https://docs.aws.amazon.com/codepipeline/latest/userguide/monitoring.html

C: You can now use AWS Config to record configuration changes to AWS CodePipeline https://aws.amazon.com/about-aws/whats-new/2018/09/aws-config-adds-support-for-aws-codepipeline/ I guess it cant be A because GuardDuty doesnt monitor Cloudtrail, It is CloudTrail which monitor Guarduty. Using the information collected by CloudTrail, you can determine the request that was made to GuardDuty https://docs.aws.amazon.com/guardduty/latest/ug/logging-using-cloudtrail.html