Exam DOP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 207

A DevOps engineer has developed an AWS Lambda function. The Lambda function starts an AWS CloudFormation drift detection operation on all supported resources for a specific CloudFormation stack. The Lambda function then exits its invocation.

The DevOps engineer has created an Amazon EventBridge scheduled rule that invokes the Lambda function every hour. An Amazon Simple Notification Service (Amazon SNS) topic already exists in the AWS account. The DevOps engineer has subscribed to the SNS topic to receive notifications.

The DevOps engineer needs to receive a notification as soon as possible when drift is detected in this specific stack configuration.

Which solution will meet these requirements?

    Correct Answer: D

    Using AWS Config with the cloudformation-stack-drift-detection-check managed rule provides a direct and reliable method for detecting configuration drifts in CloudFormation stacks. AWS Config continuously monitors the configurations of AWS resources and can quickly identify drifts. By creating an EventBridge rule that reacts to a compliance change event triggered by AWS Config, you ensure timely detection and notification. Configuring the SNS topic as a target of the EventBridge rule facilitates immediate alerts whenever a drift is detected.

Discussion
Nano803Option: D

I recommend checking out this blog which utilizes AWS Config and discusses Edenbridge. Here is the link: https://aws.amazon.com/blogs/mt/implementing-an-alarm-to-automatically-detect-drift-in-aws-cloudformation-stacks/"

Gomer

Info gleaned from following the link(++): cloudformation-stack-drift-detection-check AWS Config rule that checks if the actual configuration of a AWS CloudFormation (AWS CloudFormation) stack differs, or has drifted, from the expected configuration. MaximumExecutionFrequency The maximum frequency with which AWS Config runs evaluations for a rule. Example stack to detect and notify on drift: [...] MaximumExecutionFrequency: Description: "The maximum frequency with which drift in CloudFormation stacks need to be evaluated (default - One_Hour)" Type: "String" Default: "One_Hour" AllowedValues: ["One_Hour","Three_Hours","Six_Hours","Twelve_Hours","TwentyFour_Hours"] [...]

kyuhuckOption: D

Given the options and the requirement for immediate notification upon drift detection, Option D is the most appropriate solution. It leverages AWS Config to continuously monitor and evaluate the configurations of AWS resources, including CloudFormation stacks. When AWS Config detects a drift from the desired configuration, it can trigger an EventBridge rule, which in turn can notify the interested parties via the SNS topic. This approach does not require additional custom logic to check for drift results, as AWS Config handles the evaluation and notification process based on configuration changes.

DanShoneOption: D

D woudl be suitable - https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html B would not work as it would still only be triggered once per hour as is using the same event bridge rule

SpavankoOption: D

B is wrong, you can not query the CloudFormation API

dkpOption: D

answer D AWS Config Integration: AWS Config is specifically designed to monitor and detect configuration changes and drifts in AWS resources, including CloudFormation stacks. Using AWS Config's built-in cloudformation-stack-drift-detection-check managed rule ensures comprehensive and reliable drift detection for CloudFormation stacks. Event-Driven Architecture: Creating an EventBridge rule that reacts to a compliance change event for the CloudFormation stack allows you to trigger an alert as soon as drift is detected. This event-driven approach ensures timely detection and alerting for CloudFormation stack drift. SNS Notification: By configuring the SNS topic as a target of the EventBridge rule, you can easily send notifications/alerts to various endpoints, including email, SMS, or other AWS services, ensuring immediate alerting when drift is detected.

WhyIronManOption: D

D, Use the cloudformation-stack-drift-detection-check managed rule B uses scheduled rule will not notify as soon as possible as it runs hourly

Shasha1

D refer this: https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html

fdoxxxOption: B

B is a suitable solution for meeting the requirements: This solution provides a more direct and responsive approach. The other options involve additional services like GuardDuty (Option C), which is not designed for CloudFormation drift detection, or AWS Config with managed rules (Option D), which may introduce unnecessary complexity for this specific scenario. Option A doesn't provide a straightforward way to react to drift detection events.

Chelseajcole

D. AWS Config

Arnaud92Option: B

B is the most appropriate solution for this scenario. A is incorrect because although it involves configuring the existing EventBridge rule to target the SNS topic and using an SNS subscription filter policy, it does not involve querying the CloudFormation API for drift detection results. C is incorrect because it involves using Amazon GuardDuty, which is not specifically designed for CloudFormation drift detection. D is incorrect because although it involves using AWS Config and EventBridge to react to compliance change events, it does not directly address CloudFormation drift detection. With CloudWatch Events (now a part of EventBridge) https://aws.amazon.com/fr/blogs/mt/implement-automatic-drift-remediation-for-aws-cloudformation-using-amazon-cloudwatch-and-aws-lambda/

dznOption: B

The minimum interval for the `cloudformation-stack-drift-detection-check` managed rule in AWS config is 1 hour and does not meet the following requirements. `as soon as possible when drift is detected`

sejar

Any reference to 1 hour limit, ?

Ramdi1Option: A

Leverages existing infrastructure: This approach utilizes the existing EventBridge rule and SNS topic, avoiding the need for additional resources or complex configurations. Immediate notification: Since the EventBridge rule already triggers the Lambda function every hour, adding the SNS topic as a target ensures drift detection results are published directly to the topic for immediate notification. Filtering for specific stack: Implementing an SNS subscription filter policy ensures you only receive notifications for the specific CloudFormation stack you're interested in, avoiding irrelevant noise.

Ramdi1

B: Introduces an additional Lambda function and complexity, and requires polling for drift status, possibly delaying notification compared to real-time detection. C: While GuardDuty offers centralized drift detection, setting up a separate EventBridge rule and relying on event findings adds extra steps and might not be as timely as direct notification from the Lambda function. D: Although Config's cloudformation-stack-drift-detection-check rule identifies drift, triggering an EventBridge rule on compliance changes adds another layer of complexity and might not offer real-time notification like option A.

thanhnv142Option: B

B: is correct A: SNS topic would be trigger consistenly by the existing evenbridge, so this is incorrect C: Guarduty is for threat detection, not this D: irrelevant, the question requires using ACF drif detection, not AWS config for drift detection