Question 32

Domain 5: Incident and Event Response

A company has an AWS CloudFormation stack that is deployed in a single AWS account. The company has configured the stack to send event notifications to an Amazon Simple Notification Service (Amazon SNS) topic. A DevOps engineer must implement an automated solution that applies a tag to the specific CloudFormation stack instance only after a successful stack update occurs. The DevOps engineer has created an AWS Lambda function that applies and updates this tag for the specific stack instance. Which solution will meet these requirements?

A. Run the AWS-UpdateCloudFormationStack AWS Systems ManagerAutomation runbook when Systems Manager detects an UPDATE_COMPLETE event for the instance status of the CloudFormation stack. Configure the runbook to invoke the Lambda function. B. Create a custom AWS Config rule that produces a compliance change event if the CloudFormation stack has an UPDATE_COMPLETE instance status. Configure AWS Config to directly invoke the Lambda function to automatically remediate the change event. C. Create an Amazon EventBridge rule that matches the UPDATE_COMPLETE event pattern for the instance status of the CloudFormation stack. Configure the rule to invoke the Lambda function. D. Adjust the configuration of the CloudFormation stack to send notifications for only an UPDATE_COMPLETE instance status event to the SNS topic. Subscribe the Lambda function to the SNS topic.

Correct answer: C

Explanation

CloudFormation emits stack status events, and the requirement is to act only after a successful update, which is the "UPDATE_COMPLETE" state. An Amazon EventBridge rule can match that event pattern and "invoke the Lambda function," providing the automated trigger for tagging the specific stack instance after the update finishes.

Why each option is right or wrong

Systems Manager Automation is for operational runbooks, not the natural event filter for CloudFormation update completion.

B. Create a custom AWS Config rule that produces a compliance change event if the CloudFormation stack has an UPDATE_COMPLETE instance status. Configure AWS Config to directly invoke the Lambda function to automatically remediate the change event.

AWS Config evaluates resource compliance, not stack lifecycle success events like CloudFormation UPDATE_COMPLETE.

C. Create an Amazon EventBridge rule that matches the UPDATE_COMPLETE event pattern for the instance status of the CloudFormation stack. Configure the rule to invoke the Lambda function.

AWS CloudFormation publishes stack state change events to Amazon EventBridge, and the relevant success state for an update is `UPDATE_COMPLETE` for the stack instance. Under the EventBridge event pattern model, a rule can filter on the CloudFormation `detail-type`/stack status and then target the Lambda function, so the function runs only after the update has finished successfully rather than on every stack event.

D. Adjust the configuration of the CloudFormation stack to send notifications for only an UPDATE_COMPLETE instance status event to the SNS topic. Subscribe the Lambda function to the SNS topic.

SNS delivers notifications, but EventBridge is the service built to match specific AWS event patterns.

Previous Next