How to Trigger Custom AWS Config Rule for S3 Bucket Policy?
Question
You are working in the IT security team in a big company.
In order to perform security checks in AWS services, you have written dozens of custom AWS Config rules.
One of them is to check if the S3 bucket policy contains certain explicit denies.
This particular Config rule is supposed to be applied for all S3 buckets.
Your manager has asked you how to trigger the custom Config rule.
Which answers are correct? (Select TWO.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: C and D.
Option A is incorrect because the rule cannot be triggered every 5 minutes.
Refer to screenshot A for more details.
Option B is incorrect because the rule can be triggered automatically.
Manual triggering is not the only way.
Option C is CORRECT because users can configure the trigger type as the Configuration Changes.
Refer to screenshot B for more details.
Option D is CORRECT because this is an available option while creating a new trigger.
Refer to screenshot A for more details.
Option E is incorrect because users cannot select to trigger the rule when there is a new S3 bucket created.
Instead, users can select the trigger type to be Configuration Changes for S3 buckets.
Screenshot A.
Screenshot B.
There are two types of triggers: Configuration Changes and Periodic.
There is no difference between the AWS managed Config rule and the custom Config rule in terms of triggers.
For more information on using atrigger for a Config rule, kindly refer to the URL below:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html.
The correct answers are C and E.
A. It can be triggered through a cron job such as every 5 minutes. This answer is incorrect because custom Config rules cannot be triggered by a cron job.
B. Custom Config rules can only be triggered manually through the AWS Config console or CLI command. This answer is incorrect because custom Config rules can be triggered automatically by AWS Config when there is a configuration change for a resource that matches the scope of the rule.
C. It can be triggered whenever there is a configuration change for an S3 bucket. This answer is correct because AWS Config can automatically trigger the custom Config rule whenever there is a configuration change for an S3 bucket that matches the scope of the rule. For example, if a new S3 bucket policy is created or an existing one is modified, the custom Config rule can be triggered to check if the policy contains certain explicit denies.
D. The custom Config rule can be triggered periodically such as every hour. This answer is incorrect because custom Config rules cannot be triggered periodically.
E. Users can configure in the AWS Config console to trigger the Config rule only when there is a new S3 bucket created. This answer is correct because AWS Config can be configured to trigger the custom Config rule only when a new S3 bucket is created that matches the scope of the rule. This can help reduce unnecessary checks and improve performance.
