Best Approach for Implementing Web ACL Logging in AWS | Exam DOP-C01

Correct Answer: C.

There are two main aspects in the question i.e., implement web ACL logging and track changes in secrets for rotation.

To deal with this sort of scenario, you can create a custom AWS Config rule associated with an AWS Lambda function that reacts to configuration changes in an AWS Web ACL resource.

In order to provide auto-remediation which is built-in functionality in AWS Config that, in response to a non-compliant scenario, it can invoke an automation function that is defined as a Systems Manager Automation document (operational playbook)

There is an AWS Config managed rule whose value is set to NON_COMPLIANT when the secret is not scheduled for rotation to take care of secret change tracking.

Incorrect Answers:

Options A, B are incorrect because they do not make sense in explaining the custom AWS Config rule blueprint.

Options A, D are incorrect because they mention an irrelevant timeoutSeconds property.

References:

https://go.aws/2WGINPA https://go.aws/3fAj0RS

The best approach for the given scenario is option C - Configure a custom AWS Config rule to invoke an AWS Lambda function in response to a configuration change in an AWS::WAF::WebACL resource. Run an automation workflow through AWS::Config::RemediationConfiguration whose TargetType is a Systems Manager operational playbook that calls another AWS Lambda function that will attempt to automatically enable logging on the web ACL. To track changes to secrets, it is possible to rely on the AWS Config managed rule secretsmanager-rotation-enabled-check which is NON_COMPLIANT if the secret is not scheduled for rotation.

Explanation: The scenario requires implementing web ACL logging for analyzing AWS WAF rules compliance and tracking changes to stored secrets for rotation. AWS WAF (Web Application Firewall) is a service that helps protect web applications from common web exploits. To track changes in AWS WAF and secrets, AWS Config rules can be configured to invoke Lambda functions in response to configuration changes. AWS Config is a service that evaluates the configuration of AWS resources against predefined rules, and records configuration changes over time.

Option A is incorrect because it only mentions tracking changes to secrets using a managed AWS Config rule, but it does not provide any details on how to implement web ACL logging. It also refers to setting the timeoutSeconds property for playbook actions, but it is unclear how this is relevant to the scenario.

Option B is incorrect because it suggests running an automation workflow through AWS Config remediation configuration to enable logging on the web ACL automatically, but it does not provide any details on how to track changes to stored secrets for rotation. It also includes a custom AWS Config rule for tracking secrets, but it is unclear how this rule works.

Option D is incorrect because it is similar to option A, where it only mentions tracking changes to secrets using a custom AWS Config rule and does not provide any details on how to implement web ACL logging.

Option C is the best approach because it suggests configuring a custom AWS Config rule to invoke an AWS Lambda function in response to a configuration change in an AWS::WAF::WebACL resource. This Lambda function can be used to enable logging on the web ACL automatically. In addition, an AWS Config managed rule called secretsmanager-rotation-enabled-check can be used to track changes to stored secrets for rotation. The rule is configured to be NON_COMPLIANT if the secret is not scheduled for rotation. Finally, an automation workflow can be run through AWS Config remediation configuration whose targetType is a Systems Manager operational playbook. This playbook calls another Lambda function that attempts to enable logging on the web ACL.