AWS Certified SysOps Administrator – Associate — Question 374
A company that uses ServiceNow has an AWS account where a sensitive workload runs. The necessary security groups are in place. The company needs to implement a solution to create an incident in ServiceNow every time the rules change in any security group.
Which solution will meet this requirement with the LEAST operational effort?
Answer options
- A. Create an Amazon CloudWatch alarm that enters ALARM state when security groups change. Configure the alarm to invoke an AWS Lambda function that connects to ServiceNow to create an incident.
- B. Enable AWS Security Hub. Create an AWS Lambda function that connects to ServiceNow to create an incident. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as Security Hub Findings - Custom Action. Configure the EventBridge rule to invoke the Lambda function.
- C. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as AWS API Call via CloudTrail. Configure the EventBridge rule to run the AWS-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow.
- D. Launch an Amazon EC2 instance that has a persistent connection to ServiceNow to detect security group changes. Export AWS CloudTrail logs to the EC2 instance. Write a bash script to run a scheduled cron job every 30 minutes to search the CloudTrail logs for security groups changes. Configure the EC2 instance to create an incident in ServiceNow when a change is detected.
Correct answer: C
Explanation
Option C is correct because utilizing an Amazon EventBridge rule to trigger the pre-built AWS-CreateServiceNowIncident Systems Manager Automation runbook requires no custom code, minimizing operational effort. Options A and B require writing and maintaining custom AWS Lambda code to manage the ServiceNow API integration, which increases overhead. Option D introduces the highest operational burden by requiring the deployment, patching, and maintenance of an EC2 instance alongside custom scripting.