AWS Certified Security – Specialty — Question 371
A company is operating an AWS workload that consists of multiple applications that are deployed on Amazon EC2 instances. Recent changes to a security group caused connectivity issues for some application instances that use the security group. The company now needs all changes to security groups to initiate an alert to a specific company email address.
Which solution will meet this requirement in the MOST operationally efficient manner?
Answer options
- A. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Notification Service (Amazon SNS) topic.
- B. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Queue Service (Amazon SQS) queue.
- C. Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
- D. Implement AWS CloudTrail. Configure forwarding to Amazon S3. Configure an AWS Glue crawler for use with Amazon Athena to query log contents for event patterns that indicate changes to security groups. Publish the query results to an Amazon Simple Queue Service (Amazon SQS) queue.
Correct answer: C
Explanation
AWS CloudTrail tracks API calls for security group modifications, and sending these events to Amazon CloudWatch Logs enables real-time monitoring via metric filters. Using a CloudWatch alarm to trigger an Amazon SNS topic is the most direct and operationally efficient method to send immediate email alerts. AWS Config with manual remediation is not designed for real-time alerting, and using Amazon Athena with AWS Glue introduces unnecessary architectural complexity and delay.