You are working as a system administrator in a large financial company.
You need to assemble the compliance and security standards of the company, which includes various security, operational, and cost optimization checks in AWS.
The checks should include operational best practices for Logging, S3 and EC2
Which of the following is the most suitable to achieve the requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Option A is incorrect because the requirement is to establish security, operational and cost optimization checks.
Security Hub focuses on security status, and the AWS Foundational Security Best Practices checks can not cover the security, operational and cost optimization checks.
Option B is incorrect because a single AWS Config rule and a Lambda function would be inappropriate to perform all the checks required for the company.
Lambda functions also have an execution time limit.
Ideally, it needs multiple AWS Config rules for this task.
Option C is CORRECT because AWS Config Conformance Packs are collections of AWS Config rules and remediation actions that can be easily deployed.
AWS provides lots of sample templates, and users can upload their own templates:
Option D is incorrect because Macie is a service to discover sensitive data across all of the organization's S3 buckets.
However, it does not help to perform other security or operational checks.
References:
https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-console.html, https://aws.amazon.com/security-hub/faqs/Option A is the most suitable solution for assembling compliance and security standards of a large financial company in AWS. Enabling AWS Security Hub and the default AWS Foundational Security Best Practices checks provides continuous monitoring for security and compliance issues across the entire AWS environment.
AWS Security Hub is a fully managed security service that aggregates security findings from various AWS services such as Amazon GuardDuty, Amazon Inspector, and AWS Config. It also includes third-party security tools such as Alert Logic, CrowdStrike, and Trend Micro. AWS Security Hub provides a comprehensive view of the security posture of the AWS environment and helps identify potential security issues and vulnerabilities.
The default AWS Foundational Security Best Practices checks are a set of security and compliance checks that cover various AWS services such as Amazon S3, Amazon EC2, AWS IAM, and Amazon VPC. These checks are designed to provide a baseline of security best practices and are continuously updated based on industry standards and feedback from customers. Enabling these checks ensures that the AWS environment is configured according to best practices and helps identify potential security and compliance issues.
Option B, creating a custom AWS Config rule with a Lambda function, is also a viable solution but requires more effort and resources to develop and maintain. AWS Config is a service that enables the assessment, audit, and evaluation of the configurations of AWS resources. It provides a set of pre-built rules and allows the creation of custom rules using Lambda functions. Creating custom rules requires programming skills and expertise in the AWS environment. Additionally, ongoing maintenance and updates are required to ensure the custom rules remain effective.
Option C, creating AWS Config rules and remediation actions with Conformance Packs based on YAML templates, is also a good solution but requires significant effort and resources to develop and maintain. Conformance Packs are a set of pre-built rules and remediation actions that can be used to ensure compliance with various industry standards and best practices. They are based on YAML templates and can be customized as needed. However, creating and maintaining Conformance Packs requires expertise in the AWS environment and ongoing effort to ensure they remain effective.
Option D, enabling Amazon Macie, is not suitable for this scenario as it is a data security and privacy service that focuses on identifying and protecting sensitive data stored in S3. It does not provide the comprehensive monitoring and compliance capabilities required for assembling compliance and security standards for a large financial company. CloudWatch and Lambda functions can be used to monitor and remediate issues in the AWS environment, but they require the creation of custom rules and ongoing maintenance, as discussed in options B and C.
In summary, option A is the most suitable solution for assembling compliance and security standards of a large financial company in AWS as it provides continuous monitoring and compliance checks across the entire AWS environment using AWS Security Hub and the default AWS Foundational Security Best Practices checks.