AWS Cloud Practitioner Exam: Capturing AWS Resource Changes for Audits

Capture AWS Resource Changes for Audits

Question

While making changes to AWS resources e.g.

adding a new Security Group Ingress rule, I need to capture & record all these changes that will be helpful during an audit.

Which of the following AWS service helps me do that?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: C.

Option A is incorrect because AWS Trusted Advisor cannot record the details of configuration changes in the AWS account.

Option B is incorrect because CloudWatch is a monitoring tool that captures different metrics like CPU utilization, Memory Utilization etc.

Once the data is captured, they can then be used for creating dashboards for displaying usage patterns, creating alarms for automating resource creation, e.g.

creating a new EC2 instance due to average CPU utilization of an Auto Scaling group going above 70%

Option C is CORRECT.

AWS Config records & captures all configuration changes done to AWS resources using the Configuration Recorder.

Configuration Items crated by AWS Config can be sent to S3 to be stored as log files.

These log files can be retained depending on the S3 lifecycle policies defined & can be referred to during any audit.

Using an automated configuration management tool helps an Organization to track compliance of its resources elegantly.

Option D is incorrect because AWS CloudFormation is used for automating the creation of AWS resources in Organizations that are huge and use a complex infrastructure that may be difficult to create manually.

References:

https://aws.amazon.com/config/ https://youtu.be/kcwy_DWU8ao

The AWS service that can help capture and record changes made to AWS resources for auditing purposes is AWS Config.

AWS Config is a service that provides a detailed inventory of the resources in an AWS account and captures a history of configuration changes made to those resources. It also allows you to define rules for monitoring resource configurations and receive alerts if a resource configuration violates those rules.

When you make changes to AWS resources, AWS Config can capture those changes and record them in a configuration history. This allows you to track changes to your resources over time and helps with compliance and auditing requirements.

In contrast, AWS Trusted Advisor is a service that provides recommendations for optimizing your AWS resources and improving performance, security, and cost efficiency. It does not provide the ability to capture and record changes made to AWS resources.

AWS CloudWatch is a monitoring service that can collect and track metrics, collect and monitor log files, and set alarms. It does not provide the ability to capture and record changes made to AWS resources.

AWS CloudFormation is a service that provides a way to automate the deployment of infrastructure as code. It does not provide the ability to capture and record changes made to AWS resources for auditing purposes. However, it can be used to create AWS Config rules to monitor and enforce compliance with resource configurations.