AWS Config Rule Implementation for Custom Checks

Custom Checks for AWS Config Rule Implementation

Prev Question Next Question

Question

As an AWS security specialist, you are working on applying AWS Config rules to all AWS accounts to ensure that AWS resources meet security requirements.

One of the security checks is to inspect whether EC2 resources have appropriate Tags.

If not, the rule will be non-compliant.

There is an existing AWS Config rule called required-tags.

However, it does not meet your needs.

For example, you want the rule to check specific resources in certain availability zones.

How should you implement the Config rule to perform custom checks?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

Option A is CORRECT because users can develop custom rules using Lambda functions and then add them to AWS Config rules.

Refer to the below snapshot for more information.

Option B is incorrect because users can edit their own Config rules.

Option C is incorrect because the custom AWS Config rule needs to execute a Lambda function rather than an Automation document in Systems Manager.

Option D is incorrect: Because the custom AWS Config rule can invoke a Lambda function directly.

There is no need to involve the CloudWatch Event.

https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html.
Endpoints > Create Endpoint Create Endpoint AVPC endpoint allows you to securely connect your VPC to another service. An interface endpoint is powered by PrivateLink, and uses an elastic network interface (ENl) as an entry point for traffic destined to the service. A gateway endpoint serves as a target for a route in your route table for traffic destined for the service. Service category © AWS services ©. Find service by name © Your AWS Marketplace services Service Name com.amazonaws.ap-southeast-2.kinesis-streams @ Q com.amazonaws.ap-southeast-2.kinesis-streams Service Name com.amazonaws.ap-southeast-2.clouddirectory com.amazonaws.ap-southeast-2.cloudformation com.amazonaws.ap-southeast-2.cloudtrail com.amazonaws.ap-southeast-2.codecommit Owner amazon amazon amazon amazon Type Interface Interface Interface Interface 1to50o0fmore > +

Sure, I'll be happy to provide you with a detailed explanation of each option to help you understand which one is the best choice.

Option A: Create an AWS Lambda function to perform the custom checks. Then configure a custom AWS Config rule to invoke the Lambda function.

This option involves creating a custom AWS Lambda function that performs the specific checks required to ensure that EC2 resources have appropriate tags in specific availability zones. Once the function is created, you can configure a custom AWS Config rule to invoke the Lambda function to perform the required checks.

This option provides you with complete control over the checks that are performed on the EC2 resources, allowing you to tailor the checks to your specific needs. However, it also requires that you have the necessary expertise to create the Lambda function and to configure the custom AWS Config rule to invoke the function.

Option B: Submit a support request to update AWS provided config rule required-tags.

This option involves submitting a support request to AWS to update the existing AWS Config rule called required-tags to meet your specific needs. This option can be an easy solution if the required changes are minor and can be implemented through a simple update to the existing rule. However, it is important to note that AWS may not be able to implement the changes immediately or at all, depending on the complexity of the changes.

Option C: In Systems Manager Automation, create an automation document that performs custom checks. Configure a custom AWS Config rule which invokes the document.

This option involves creating a custom automation document in AWS Systems Manager Automation that performs the specific checks required to ensure that EC2 resources have appropriate tags in specific availability zones. Once the document is created, you can configure a custom AWS Config rule to invoke the document to perform the required checks.

This option provides you with a pre-built automation solution that can be used to perform the checks without requiring the same level of expertise as option A. However, it may not provide the same level of flexibility as creating a custom Lambda function.

Option D: Configure a custom AWS Config rule to invoke a CloudWatch Event. Create a new CloudWatch Event rule with a Lambda function as the target. Use the AWS Lambda function to perform required custom checks.

This option involves configuring a custom AWS Config rule to invoke a CloudWatch Event that triggers a Lambda function. The Lambda function can then perform the specific checks required to ensure that EC2 resources have appropriate tags in specific availability zones.

This option provides a more streamlined solution than option A, as it involves using a pre-built AWS service (CloudWatch Events) to trigger the Lambda function. However, it may not provide the same level of flexibility as creating a custom Lambda function from scratch.

In summary, each of the four options provides a different approach to implementing custom checks for EC2 resource tags. Option A provides complete control over the checks but requires expertise in creating the Lambda function and custom AWS Config rule. Option B is the easiest option, but may not be possible depending on the complexity of the changes required. Option C provides a pre-built automation solution that is easier to implement than option A but may not provide the same level of flexibility. Option D provides a streamlined solution using pre-built AWS services but may not provide the same level of flexibility as creating a custom Lambda function.

Prev Question Next Question