AWS Certified Security – Specialty (SCS-C03) — Question 7

A security engineer wants to evaluate configuration changes to a specific AWS resource to ensure that the resource meets compliance standards. However, the security engineer is concerned about a situation in which several configuration changes are made to the resource in quick succession. The security engineer wants to record only the latest configuration of that resource to indicate the cumulative impact of the set of changes.
Which solution will meet this requirement in the MOST operationally efficient way?

Answer options

• A. Use AWS CloudTrail to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
• B. Use AWS Config to detect the configuration changes and to record the latest configuration in case of multiple configuration changes.
• C. Use Amazon CloudWatch to detect the configuration changes by filtering API calls to monitor the changes. Use the most recent API call to indicate the cumulative impact of multiple calls.
• D. Use AWS Cloud Map to detect the configuration changes. Generate a report of configuration changes from AWS Cloud Map to track the latest state by using a sliding time window.

Correct answer: B

Explanation

The correct answer is B because AWS Config is specifically designed to track and record the configuration of AWS resources, capturing the latest state efficiently. Options A and C rely on AWS CloudTrail and Amazon CloudWatch, which do not provide the same level of detailed configuration tracking as AWS Config. Option D, while useful for service discovery, does not serve the purpose of compliance monitoring effectively.