A security engineer must ensure that all infrastructure launched in the company AWS account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated.
What combination of steps should the Engineer implement? Select 2 answers from the options given below.
A . Set up a CloudWatch event based on Trusted Advisor metrics
B . Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
C . Set up a CloudWatch event based on Amazon inspector findings
D . Monitor compliance with AWS Config Rules triggered by configuration changes
E . Trigger a CLI command from a CloudWatch event that terminates the infrastructure
Answer: B,D
Explanation:
You can use AWS Config to monitor for such Event
Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.
Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific A
Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes.
For more information on Config Rules please see the below Link: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html These events can then trigger a lambda function to terminate instances For more information on Cloudwatch events please see the below Link: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents.
(
The correct answers are: Trigger a Lambda function from a scheduled Cloudwatch event that terminates non-compliant infrastructure., Monitor compliance with AWS Config Rules triggered by configuration changes
Submit your Feedback/Queries to our Experts