Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 133

A company is using AWS to run digital workloads. Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations.

The company wants to enforce security standards across the entire organization. To avoid noncompliance because of security misconfiguration, the company has enforced the use of AWS CloudFormation. A production support team can modify resources in the production environment by using the AWS Management Console to troubleshoot and resolve application-related issues.

A DevOps engineer must implement a solution to identify in near real time any AWS service misconfiguration that results in noncompliance. The solution must automatically remediate the issue within 15 minutes of identification. The solution also must track noncompliant resources and events in a centralized dashboard with accurate timestamps.

Which solution will meet these requirements with the LEAST development overhead?

Use CloudFormation drift detection to identify noncompliant resources. Use drift detection events from CloudFormation to invoke an AWS Lambda function for remediation. Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group. Configure an Amazon CloudWatch dashboard to use the log group for tracking.

Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resources. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.

Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the --no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.

Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logs filters for drift detection. Use Amazon EventBridge to invoke the Lambda function for remediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up a dashboard on OpenSearch Service for tracking.

Correct Answer: C

By utilizing AWS Config, the company can monitor resource configurations across all AWS accounts for compliance with defined rules. AWS Security Hub provides centralized management of security alerts and compliance checks. In addition, AWS Config conformance packs allow automated remediation of non-compliant resources, which can address issues within the stipulated 15-minute window. The combination of these services eliminates significant development overhead by using AWS's built-in features for configuration management and compliance tracking, ensuring near real-time monitoring and remediation with centralized tracking.

Discussion

SnapeOption: C

Compliance usually indicates towards config

tartarus23Option: C

(C) This solution meets all of the requirements. AWS Config can monitor resource configurations for compliance with defined rules. The use of AWS Security Hub allows for centralized management of security alerts and compliance checks across all accounts. AWS Config conformance packs allow for automated remediation of non-compliant resources. AWS Security Hub provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. This solution is also the one with the least development overhead as it uses built-in AWS services specifically designed for configuration management and compliance tracking.

Gomer

Leaning towards "A" unless someone can convince me otherwise. Why?: I have a problem with this step in "C": "Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources." The fact is your not going to detect any "drift" by turning on the recorder AFTER the accounts are noncompliant. AWS Config rules (canned or custom) and Conformance Packs can do a lot, but it's definitely duplicating settings any security settings allready defined CloudFormation stacks. I lean towards "A" because "To avoid noncompliance because of security misconfiguration, the company has enforced the use of AWS CloudFormation". Therefore CloudFormation stacks are is where the security settings are defined, and thereby CloudFormation is implied to be part of the detection and remediation process. CloudFormation drift detection can be automated, and one can just "automatically remediate the issue within 15 minutes of identification" by just doing a stack refresh. Easy peasy.

ajeeshb

Correct, A is the answer.

AzureDP900

C is right https://aws.amazon.com/blogs/security/optimize-aws-config-for-aws-security-hub-to-effectively-manage-your-cloud-security-posture/

ds50421Option: C

compliance means aws config,automatic remedy aws config,central dashboard security hub

zijoOption: C

C is the better solution. AWS CloudFormation drift detection helps identify whether the actual configuration of your AWS resources matches their expected configuration as defined in the CloudFormation stack template. While it is a powerful tool for maintaining compliance and consistency, it alone cannot fully prevent noncompliance due to security misconfigurations. Thats where you need AWS config to continuously monitor service configurations and even use aggregator to collect all aws config data from all member accounts in aws organization to Security Hub to provide a centralized dashboard.

dkpOption: C

answer is C with minimal overhead

tristan_07Option: A

Both Option A and C work. However, considering Option C involves a lot 'all the AWS accounts,' it undoubtedly increases development overhead

thanhnv142Option: A

A is correct: drift detection is the best for this scenario, which utilizes AWS cloudformation B and D: using cloudtraid is for monitoring account activities C: AWS Config conformance packs cannot make remediation actions. It needs to trigger AWS SSM automation document

vn_thanhtung

A not correct because not mention how to remediate