AWS Certified Security – Specialty (SCS-C02) — Question 283

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.

Which solution will meet this requirement in the MOST operationally efficient way?

Answer options

• A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
• B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.
• C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
• D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Correct answer: B

Explanation

AWS Config is specifically designed to track resource configuration history and natively records only the latest configuration state when multiple changes occur in quick succession, making it the most operationally efficient solution. AWS CloudTrail and Amazon CloudWatch capture individual API calls and event logs rather than state-in-time resource configurations, which would require complex custom logic to reconstruct the final state. AWS Cloud Map is a service discovery service and cannot be used for resource configuration tracking or compliance monitoring.