Who Uses CloudFormation Stacks in AWS Account?

Answer - B.

This is given as a best practice in the AWS documentation.

AWS CloudTrail tracks anyone making AWS CloudFormation API calls in your AWS account.

API calls are logged whenever anyone uses the AWS CloudFormation API, the AWS CloudFormation console, a back-end console, or AWS CloudFormation AWS CLI commands.

Enable logging and specify an Amazon S3 bucket to store the logs.

That way, if you ever need to, you can audit who made what AWS CloudFormation call in your account.

For more information on the best practises , please visit the below URL:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html

The IT Security department has raised a concern regarding the usage of CloudFormation stacks in the AWS account, and wants to know who all are using them. To address this security concern, we can enable CloudTrail logs to record API calls made to the CloudFormation stack.

Option B is the correct answer.

CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It records all the API calls made to your AWS account, including the ones made to create, update or delete CloudFormation stacks.

By enabling CloudTrail logs, we can monitor the usage of the CloudFormation stack, and identify who created or modified them. We can also use CloudTrail logs to track the changes made to the resources in the stack, and identify the user who made those changes.

Option A is incorrect as enabling CloudWatch events would only track the resource creation events, but it won't tell us who created or modified the stack.

Option C is also incorrect as enabling CloudWatch logs would only record the events related to the CloudFormation stack, but it won't provide information about who used the stack.

Option D is incorrect as connecting SQS and CloudFormation would only send messages when resources are created, but it won't tell us who created the stack.