Identifying the Cause of Non-Compliance for an AWS Config Rule

Correct Answer : B.

Option A is incorrect because you have to look at all the changes that have happened from the configuration timeline.

It is not the fastest method as there may be a lot of events to be checked.

Option B is CORRECT because the compliance timeline clearly indicates when the Config rule became non-compliant.

You can simply check the relevant events and changes to find out the reason.

Option C is incorrect because you have to check all the S3 events one by one to locate the change that you need.

It is not the quickest way.

Option D is incorrect because similar to option C, you need to check each CloudTrail event about bucket policy and find the one for the S3 bucket.

If there are a lot of events, it will take a long time to get the event that you want.

Reference:

https://docs.aws.amazon.com/config/latest/developerguide/view-compliance-history.html

The easiest option to check when and how an AWS Config rule became non-compliant for an S3 bucket resource is to choose option B: Open the compliance timeline of the resource in AWS Config and check the changes when the rule status became non-compliant.

Option A suggests checking each change performed during the holiday by opening the configuration timeline, which could be time-consuming and may not directly provide information about the non-compliance issue. On the other hand, Option B allows us to quickly check the compliance timeline of the S3 bucket resource in AWS Config and identify the changes that led to non-compliance.

Option C suggests searching the S3 bucket name in the AWS CloudTrail console and opening each CloudTrail event, which could be time-consuming and may not directly provide information about the non-compliance issue. In contrast, Option D suggests searching for bucket policy events in AWS CloudTrail and checking each event, which could also be time-consuming and may not directly provide information about the non-compliance issue.

AWS Config is a service that allows you to evaluate the configuration of AWS resources and monitor resource changes over time. By creating Config rules, you can check whether your AWS resources comply with your organization's policies or industry best practices. When an AWS Config rule becomes non-compliant for a resource, it means that the resource's configuration has changed, and it no longer meets the conditions specified in the rule.

To check when and how an AWS Config rule became non-compliant for an S3 bucket resource, you can follow these steps:

1. Log in to the AWS Management Console.
2. Open the AWS Config console.
3. In the navigation pane, choose Rules.
4. Find the rule that checks if S3 bucket resources have the bucket policy that denies incoming insecure requests.
5. Check the Compliance column for the S3 bucket resource in question. If it shows Noncompliant, it means that the rule is no longer met for this resource.
6. Click on the resource's name to open its compliance timeline.
7. Check the timeline for the resource and identify the point in time when the resource became non-compliant.
8. Click on the non-compliant status to get more details on the reason for non-compliance.
9. Check the change details for the non-compliant status, including the change type, change time, and change initiator.
10. Based on the change details, investigate further to identify the root cause of the non-compliance issue.

By following these steps, you can quickly check when and how an AWS Config rule became non-compliant for an S3 bucket resource and take appropriate actions to remediate the issue.