A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules.
All EC2 instances must be launched from one of a specified list of AMIs with all attached EBS volumes being encrypted.
The non-compliant infrastructure should be terminated. What combination of steps should the engineer choose? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: B and D.
Option A is incorrect because CloudWatch events based on Trusted Advisor metrics would not help identify if the infrastructure is compliant.
Option B is correct because the Lambda function can be triggered by the AWS CloudWatch event rule and terminate all the non-compliant infrastructure.
Option C is incorrect because Amazon Inspector cannot be used to check whether instances are launched from a specific AMI.
Option D is correct because AWS Config can be used to monitor the compliance checks and trigger an alarm/event if there is any non-compliant infrastructure.
Option E is incorrect because triggering a CLI command would not be a cost-efficient option.
Instead, you should use a Lambda function as it is serverless.
For more information on AWS Config Rules, kindly refer to the below URL:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.htmlFor more information on CloudWatch events, please see the below Link:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.htmlThe security engineer needs to ensure that all infrastructure launched in the company AWS account is monitored for deviation from compliance rules. EC2 instances must be launched from a specific list of AMIs with all attached EBS volumes being encrypted, and non-compliant infrastructure should be terminated.
To achieve this, the engineer should take the following steps:
Monitor compliance with AWS Config Rules triggered by configuration changes: The AWS Config service helps to monitor and record the configuration changes of AWS resources. The engineer can set up AWS Config rules to ensure compliance with the required AMI and EBS encryption. If a resource is launched without compliance, the rule will fail, and the engineer will be notified.
Trigger a Lambda function from the CloudWatch event rule for AWS Config "Compliance Rules Notification Change" to terminate the non-compliant infrastructure: When the AWS Config rule fails, the CloudWatch event will trigger a Lambda function that terminates the non-compliant infrastructure. The Lambda function can access the necessary AWS services to terminate the resources in question.
Therefore, options D and B are the correct answers to the question.
Option A is incorrect because it suggests setting up a CloudWatch event based on Trusted Advisor metrics. Trusted Advisor provides recommendations for best practices to improve performance, security, and cost optimization. It is not designed for compliance monitoring.
Option C is incorrect because it suggests setting up a CloudWatch event based on Amazon Inspector findings. Amazon Inspector is a security assessment service that helps identify security vulnerabilities in the application and network stack. It is not designed for compliance monitoring.
Option E is incorrect because it suggests triggering a CLI command in an EC2 instance from a CloudWatch event to terminate the infrastructure. This approach is not scalable and requires manual intervention, which can be error-prone and time-consuming.