Record Cloudfront Distribution Configuration Changes
Question
A team has set up a Cloudfront distribution with a web application hosted on an EC2 Instance as the Origin point.
A security requirement mandates that all configuration changes to the Cloudfront distribution need to be recorded.
Which of the following options is the most straightforward?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
This is mentioned in the AWS Documentation.
You can use AWS Config to record configuration changes for CloudFront distribution settings changes.
For example, you can capture changes to distribution states, price classes, origins, geo-restriction settings, and Lambda@Edge configurations.
Option B is incorrect since you have to configure a custom AWS Config rule and a Lambda function is required to provide the logic when the rule is evaluated.
It is not the most straightforward method.
Option C is incorrect because, unlike AWS Config, CloudTrail does not show the detailed configuration changes for an AWS resource.
Option D is incorrect because you have to maintain the CloudWatch Event rule and the Lambda function.
It is not the easiest approach.
For more information on tracking changes in AWS Config, please visit the below URL.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackingChanges.htmlThe most straightforward option to record all configuration changes to the CloudFront distribution is to use AWS CloudTrail.
AWS CloudTrail is a service that records all API calls made within an AWS account. It provides detailed information about who made the call, which service was called, what action was performed, and what parameters were used.
To enable CloudTrail to record all configuration changes made to the CloudFront distribution, you need to create a trail in the AWS Management Console or through the AWS CLI. The trail can be configured to log all management events related to the CloudFront distribution, including changes to the distribution configuration and its associated resources.
Once the CloudTrail trail is set up, it will automatically start recording all configuration changes made to the CloudFront distribution. You can then use the CloudTrail console or APIs to view the recorded events, and filter and search them based on various criteria.
AWS Config is another option that can be used to record configuration changes, but it is more suited for monitoring compliance and resource configuration changes across your entire AWS infrastructure. It is not as straightforward as CloudTrail for recording changes made to a specific CloudFront distribution.
AWS Config Rules can also be used to detect changes in resource configurations and evaluate compliance against predefined rules. However, it is not specifically designed for recording changes to a CloudFront distribution.
AWS CloudWatch Events can be used to detect and respond to changes in AWS resources, but it requires a Lambda function to be set up to perform the desired action. It is more suitable for triggering automated responses to configuration changes rather than recording them.
