Question 1
Domain 1: Threat Detection and Incident ResponseA company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
Correct answer: A
Explanation
AWS Config managed rules continuously evaluate resource compliance, so a rule can detect when an RDS DB instance or DB cluster lacks encrypted storage. An automatic remediation action can trigger on noncompliance, and the Lambda function can terminate the unencrypted resource while SNS sends the email alert to subscribers, meeting both requirements with minimal operational overhead.
Why each option is right or wrong
A. Create an AWS Config managed rule to detect unencrypted ROS storage. Configure an automatic remediation action to publish messages to an Amazon SimpleNotification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
AWS Config managed rules can continuously evaluate RDS resources against the encryption requirement; the relevant managed rule for RDS storage encryption is the AWS Config rule that flags DB instances and DB clusters whose storage is not encrypted. Under AWS Config remediation, a noncompliant evaluation can invoke an automatic remediation action, and AWS Lambda can be used as the remediation target to delete the offending resource immediately after detection. Publishing the event to Amazon SNS with an email subscription satisfies the alerting requirement with no polling or custom scheduler, making this the most operationally efficient design.
B. Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
Manual remediation requires human action, so it does not meet the most operationally efficient requirement.
C. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.
EventBridge reacts to events, but Config is purpose-built for configuration compliance evaluation and remediation.
D. Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.
Event-driven Lambda can respond to creation events, but it is less aligned with compliance enforcement than Config.