The company you are working for is prototyping a HIPAA-compliant application.
You as a DevOps engineer have to automate the resource auditing process, including CIS AWS Foundations Benchmark requirements as an external compliance framework.
The results have to be sent periodically as email notifications.
Which statement is true when creating custom AWS Config rules via AWS Lambda function to model criteria meeting?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D.
In order to create a custom rule that audits AWS resources for security compliance, you have to create and associate an AWS Lambda function with the evaluation logic that polls AWS Config for detection purposes.
This scenario also requires additional permission to be able to publish messages to an Amazon SNS topic to manage email notifications.
Incorrect Answers:
Options A, B are incorrect because all the AWS Lambda function blueprint available are just a starting point to work on a template.
But it is perfectly possible to create and use a custom function from scratch.
Option C is incorrect because the custom rule does not contain the evaluation logic.
The AWS Lambda function is the one with the logic that audits AWS resources.
References:
https://go.aws/2zrEPlI https://amzn.to/3fxPdchThe correct answer is D: You develop custom rules and add them to AWS Config. Then, you associate each custom rule with an AWS Lambda function containing the logic that evaluates whether your AWS resources comply with the rule. The Lambda function will require permission to query AWS Config and publish a message to Amazon SNS.
Explanation:
In this scenario, the company is prototyping a HIPAA-compliant application, and the DevOps engineer is required to automate the resource auditing process, including CIS AWS Foundations Benchmark requirements as an external compliance framework. The results have to be sent periodically as email notifications.
To automate the auditing process and meet the compliance requirements, AWS Config can be used with AWS Lambda functions. AWS Config is a service that provides a detailed inventory of AWS resources and records changes to resources over time. AWS Lambda is a service that allows developers to run code without provisioning or managing servers.
To create custom AWS Config rules via AWS Lambda functions, the following steps can be followed:
Develop custom rules and add them to AWS Config: The custom rules are based on the compliance requirements that need to be met. These rules are added to AWS Config so that they can be evaluated against AWS resources.
Associate each custom rule with an AWS Lambda function: An AWS Lambda function can be created to evaluate whether the AWS resources comply with the custom rule. Each custom rule is associated with a specific Lambda function that contains the logic to evaluate compliance.
Lambda function permission: The Lambda function will require permission to query AWS Config to retrieve information about the resources and their compliance status. It will also require permission to publish a message to Amazon SNS to send email notifications. Therefore, the Lambda function needs permission to access AWS Config and Amazon SNS.
Option A is incorrect because it limits the DevOps engineer to only two AWS Lambda function blueprints. It also incorrectly states that the custom rule only needs permission to query AWS Config, when in fact, it needs permission to publish a message to Amazon SNS.
Option B is incorrect because it incorrectly states that any AWS Lambda function blueprint can be used to evaluate compliance. In fact, a custom Lambda function needs to be created for each custom rule.
Option C is incorrect because it incorrectly states that the Lambda function needs permission to publish a message to Amazon SNS, when in fact, the custom rule needs this permission.