AWS Certified SysOps Administrator – Associate — Question 88

A SysOps administrator is responsible for a company’s security groups. The company wants to maintain a documented trail of any changes that are made to the security groups. The SysOps administrator must receive notification whenever the security groups change.

Which solution will meet these requirements?

Answer options

• A. Set up Amazon Detective to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Queue Service (Amazon SQS) queue for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SQS queue.
• B. Set up AWS Systems Manager Change Manager to record security group changes. Specify an Amazon CloudWatch Logs log group to store configuration history logs. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SNS topic.
• C. Set up AWS Config to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SNS topic.
• D. Set up Amazon Detective to record security group changes. Specify an Amazon S3 bucket as the location for configuration snapshots and history files. Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications about configuration changes. Subscribe the SysOps administrator’s email address to the SNS topic.

Correct answer: C

Explanation

The correct answer is C because AWS Config is specifically designed to record and track changes in AWS resources, including security groups, and it can send notifications via Amazon SNS. Option A is incorrect as Amazon Detective is not used for change tracking, and SQS is not the preferred method for notification in this context. Option B suggests using AWS Systems Manager Change Manager, which is not the best fit for tracking security group changes. Option D incorrectly uses Amazon Detective again, which does not fulfill the requirement for tracking configuration changes.