AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 85

A company’s network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor the changes that are made to network resources and must ensure strict compliance with network security policies. The company also needs access to the historical configurations of network resources.

Which solution will meet these requirements?

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes. Configure the rule to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes that are identified.
• B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes that are identified.
• C. Record the current state of network resources by using AWS Config. Create rules that reflect the desired configuration settings. Set remediation for noncompliant resources.
• D. Record the current state of network resources by using AWS Systems Manager Inventory. Use Systems Manager State Manager to enforce the desired configuration settings and to carry out remediation for noncompliant resources.

Correct answer: C

Explanation

The correct answer is C, as AWS Config allows for tracking changes, enforcing compliance, and provides historical configurations of resources. Option A focuses on event monitoring without historical tracking, while option B relies on CloudWatch logs, which do not provide the same level of compliance assurance. Option D uses Systems Manager, which is not primarily designed for compliance tracking like AWS Config.