AWS Certified Security – Specialty — Question 505

A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

Answer options

• A. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
• B. Create an AWS Config configuration item for each VPC in the company AWS account.
• C. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
• D. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
• E. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.

Correct answer: A, E

Explanation

To automate compliance auditing for VPC Flow Logs, an AWS Config custom rule is required since there is no default managed rule that directly evaluates this configuration. This custom rule must be associated with an AWS Lambda function, which contains the custom code to inspect each VPC and verify if Flow Logs are enabled. Other options, such as creating manual configuration items or using CloudWatch Event rules, do not provide the necessary evaluation mechanism.