AWS Certified Security – Specialty — Question 335

A company has identified two security concerns. One concern is unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. The other concern is public IP addresses that are assigned to Amazon EC2 instances. A security engineer must build a solution to prevent and remediate these security issues.

What should the security engineer do to meet these requirements with the LEAST amount of effort?

Answer options

• A. Use AWS CloudTrail to monitor accounts for noncompliant configurations. Use AWS Lambda functions to evaluate configuration state and perform automated remediation actions.
• B. Use AWS Config rules to monitor accounts for noncompliant configurations. Use AWS Systems Manager Automation to perform automated remediation actions.
• C. Use Amazon GuardDuty to monitor accounts for noncompliant configurations. Use AWS Lambda function to perform automated remediation actions.
• D. Use AWS Systems Manager Compliance to monitor accounts for noncompliant configurations. Use Systems Manager Automation to perform automated remediation actions.

Correct answer: B

Explanation

AWS Config is designed specifically to continuously monitor and assess resource configurations against desired guidelines, offering built-in rules for EBS encryption and public IP checking. Integrating AWS Config with AWS Systems Manager Automation allows for low-effort, out-of-the-box automated remediation without the need to write and maintain custom AWS Lambda code. Other options like CloudTrail or GuardDuty are not configuration compliance tools and would require significant custom development to achieve the same outcome.