AWS Config Rule for Custom Security Policies | DevOps Exam Prep

Custom AWS Config Rule for Ensuring Security Compliance

Prev Question Next Question

Question

A company has strict security policies.

For its AWS services, special attention is required to ensure that there is no security vulnerability.

You are asked to set up a rule in AWS Config to inspect if the AWS resources are always as expected.

The rule is very complicated, and there is no existing AWS managed rule that can meet the company's needs.

Which actions in combinations can achieve this requirement? (Select TWO.)

Answers

A. Create a t2.micro EC2 instance to implement the custom policies to check if AWS resources are not exposed to security issues. The instance also listens to an SQS queue and starts processing whenever there is a new message in the queue.

B. Create an AWS Lambda function that contains the logic of the custom rule to evaluate whether the AWS resources are compliant.

C. Create an SNS topic and subscribe to the topic with an email notification to the team member, if there is a security issue in AWS resources.

D. In AWS Config, add a custom rule that runs every hour and sends a message to an SQS queue.

E. In AWS Config, add a custom rule and specify the ARN of an AWS Lambda function that checks AWS resources.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answer - B, E.

In AWS config, there are AWS managed rules or custom rules.

For the introduction of custom rules, please check the documentation in.

https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html.

Option A is incorrect: Because the EC2 instance is not as flexible as the Lambda function.

More importantly, the AWS Config custom rule only supports Lambda function as its target.

Option B is CORRECT: A Lambda Function can be created with the blueprint of config-rule-change-triggered.

Option C is incorrect: Because configuring an SNS topic is not a necessary step.

Option D is incorrect: Because the custom rule in AWS Config should directly call the Lambda ARN and trigger the function.

Option E is CORRECT: When a custom rule is created, Lambda ARN can be configured as below:

Resources:

GetHelloWorld:
Type: AWS: :Serverless: : Function
Properties:
Handler: index.get
Runtime: nodejs8.10
Role:
Fn::GetAtt:
- LambdaExecutionRole
- Arn
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
LambdaExecutionRole:
Description: Creating service role in IAM for AWS Lambda
Type: AWS: :IAM::Role
Properties:
RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'

The requirement is to set up a custom rule in AWS Config to inspect if AWS resources are always as expected in compliance with strict security policies. As there is no existing AWS managed rule that can meet the company's needs, the solution would be to create a custom rule using AWS services.

To achieve this requirement, two actions in combination are needed.

The first action is to create a custom rule using AWS Lambda. AWS Lambda is a compute service that runs code in response to events and automatically manages the compute resources. The custom rule will evaluate whether the AWS resources are compliant by using the logic of the custom rule. The rule will be triggered by AWS Config and will run the AWS Lambda function to check the resources for security issues.

To create the custom rule, follow these steps:

Create an AWS Lambda function that contains the logic of the custom rule to evaluate whether the AWS resources are compliant.
In AWS Config, add a custom rule and specify the ARN of the AWS Lambda function that checks AWS resources.

The second action is to create an SNS topic that will notify the team members if there is a security issue in AWS resources. SNS is a messaging service that can be used to send notifications and alerts. The team members can subscribe to the SNS topic and receive email notifications whenever there is a security issue in AWS resources.

To create the SNS topic, follow these steps:

Create an SNS topic
Subscribe to the topic with an email notification to the team member if there is a security issue in AWS resources.

Option A is not a suitable solution as it requires creating and managing an EC2 instance and an SQS queue, which will increase the complexity and the cost of the solution.

Option D is not a suitable solution because it sends a message to an SQS queue but does not specify any action to be taken in case there is a security issue in AWS resources.

Therefore, the correct actions in combination that can achieve this requirement are:

Create an AWS Lambda function that contains the logic of the custom rule to evaluate whether the AWS resources are compliant.
In AWS Config, add a custom rule and specify the ARN of the AWS Lambda function that checks AWS resources.
Create an SNS topic and subscribe to the topic with an email notification to the team member if there is a security issue in AWS resources.

Prev Question Next Question