AWS Certified Solutions Architect – Professional — Question 278

A company with multiple accounts is currently using a configuration that does not meet the following security governance policies:
✑ Prevent ingress from port 22 to any Amazon EC2 instance.
✑ Require billing and application tags for resources.
✑ Encrypt all Amazon EBS volumes.
A solutions architect wants to provide preventive and detective controls, including notifications about a specific resource, if there are policy deviations.
Which solution should the solutions architect implement?

Answer options

• A. Create an AWS CodeCommit repository containing policy-compliant AWS CloudFormation templates. Create an AWS Service Catalog portfolio. Import the CloudFormation templates by attaching the CodeCommit repository to the portfolio. Restrict users across all accounts to items from the AWS Service Catalog portfolio. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule for deviations, and associate a CloudWatch alarm to send notifications when the TriggeredRules metric is greater than zero.
• B. Use AWS Service Catalog to build a portfolio with products that are in compliance with the governance policies in a central account. Restrict users across all accounts to AWS Service Catalog products. Share a compliant portfolio to other accounts. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule to send a notification when a deviation occurs.
• C. Implement policy-compliant AWS CloudFormation templates for each account, and ensure that all provisioning is completed by CloudFormation. Configure Amazon Inspector to perform regular checks against resources. Perform policy validation and write the assessment output to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to increment a metric when a deviation occurs. Configure a CloudWatch alarm to send notifications when the configured metric is greater than zero.
• D. Restrict users and enforce least privilege access using AWS IAM. Consolidate all AWS CloudTrail logs into a single account. Send the CloudTrail logs to Amazon Elasticsearch Service (Amazon ES). Implement monitoring, alerting, and reporting using the Kibana dashboard in Amazon ES and with Amazon SNS.

Correct answer: B

Explanation

AWS Service Catalog acts as a preventive control by allowing administrators to centrally manage and distribute compliant IT services across multiple accounts, restricting users to pre-approved configurations. AWS Config managed rules serve as the detective control to continuously evaluate resource configurations against the defined governance policies. Using Amazon EventBridge (formerly CloudWatch Events) to trigger notifications upon AWS Config compliance changes ensures immediate and resource-specific alerting.