AWS Certified Security – Specialty (SCS-C02) — Question 303

A company needs to retain data that is stored in Amazon CloudWatch Logs log groups. The company must retain this data for 90 days. The company must receive notification in AWS Security Hub when log group retention is not compliant with this requirement.

Which solution will provide the appropriate notification?

Answer options

• A. Create a Security Hub custom action to assess the log group retention period.
• B. Create a data protection policy in CloudWatch Logs to assess the log group retention period.
• C. Create a Security Hub automation rule. Configure the automation rule to assess the log group retention period.
• D. Use the AWS Config managed rule that assesses the log group retention period. Ensure that AWS Config integration is enabled in Security Hub.

Correct answer: D

Explanation

AWS Config provides a managed rule specifically designed to check if Amazon CloudWatch Logs log groups meet a minimum retention period. By enabling AWS Config integration with AWS Security Hub, any non-compliance detected by this rule will automatically generate a finding in Security Hub. Security Hub custom actions, automation rules, and CloudWatch Logs data protection policies are not designed to natively perform this resource configuration compliance check.