AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 295

A company is using AWS CloudFormation to perform deployments of its application environment. A deployment failed during a recent update to the existing CloudFormation stack. A DevOps engineer discovered that some resources in the stack were manually modified.

The DevOps engineer needs a solution that detects manual modification of resources and sends an alert to the DevOps lead.

Which solution will meet these requirements with the LEAST operational effort?

Answer options

• A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps lead to the topic by using an email address. Create an AWS Config managed rule that has the CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK identifier. Create an Amazon EventBridge rule that is invoked on the NON_COMPLIANT resources status. Set the SNS topic as the rule target.
• B. Tag all CloudFormation resources with a specific tag. Create an AWS Config custom rule by using the AWS Config Rules Development Kit Library (RDKlib) that checks all resource changes that have the specific tag. Configure the custom rule to mark all the tagged resource changes as NON_COMPLIANT when the change is not performed by CloudFormation. Create an Amazon EventBridge rule that is invoked on the NON_COMPUANT resources status. Create an AWS Lambda function that sends an email message to the DevOps lead. Set the Lambda function as the rule target.
• C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps lead to the topic by using an email address. Create an AWS Config managed rule that has the CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK identifier. Create an Amazon EventBridge rule that is invoked on the COMPLIANT resources status. Set the SNS topic as the rule target.
• D. Create an AWS Config managed rule that has the CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK identifier. Create an Amazon EventBridge rule that is invoked on the NON_COMPLIANT resources status. Create an AWS Lambda function that sends an email message to the DevOps lead. Set the Lambda function as the rule target.

Correct answer: A

Explanation

Option A is correct because using the AWS Config managed rule CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK alongside Amazon EventBridge and Amazon SNS provides a fully serverless, native integration that requires zero custom code. Option C is incorrect because it triggers notifications on COMPLIANT states rather than drift events. Options B and D introduce unnecessary operational overhead by requiring custom code development and maintenance through the AWS Config Rules Development Kit or AWS Lambda.