Amazon DOP-C02 Exam - Topic 3 Question 15 Discussion

Actual exam question for Amazon's DOP-C02 exam

Question #: 15
Topic #: 3

A company is using AWS to run digital workloads. Each application team in the company has its own AWS account for application hosting. The accounts are consolidated in an organization in AWS Organizations.

The company wants to enforce security standards across the entire organization. To avoid noncompliance because of security misconfiguration, the company has enforced the use of AWS CloudFormation. A production support team can modify resources in the production environment by using the AWS Management Console to troubleshoot and resolve application-related issues.

A DevOps engineer must implement a solution to identify in near real time any AWS service misconfiguration that results in noncompliance. The solution must automatically remediate the issue within 15 minutes of identification. The solution also must track noncompliant resources and events in a centralized dashboard with accurate timestamps.

Which solution will meet these requirements with the LEAST development overhead?

AUse CloudFormation drift detection to identify noncompliant resources. Use drift detection events from CloudFormation to invoke an AWS Lambda function for remediation. Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group. Configure an Amazon CloudWatch dashboard to use the log group for tracking.

BTurn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resources. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.

CTurn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the ~no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.

DTurn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logs filters for drift detection. Use Amazon EventBridge to invoke the Lambda function for remediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up a dashboard on OpenSearch Service for tracking.

Show Suggested Answer

Suggested Answer: C

The best solution is to use AWS Config and AWS Security Hub to identify and remediate noncompliant resources across multiple AWS accounts. AWS Config enables continuous monitoring of the configuration of AWS resources and evaluates them against desired configurations. AWS Config can also automatically remediate noncompliant resources by using conformance packs, which are a collection of AWS Config rules and remediation actions that can be deployed as a single entity. AWS Security Hub provides a comprehensive view of the security posture of AWS accounts and resources. AWS Security Hub can aggregate and normalize the findings from AWS Config and other AWS services, as well as from partner solutions. AWS Security Hub can also be used to create a dashboard for tracking noncompliant resources and events in a centralized location.

The other options are not optimal because they either require more development overhead, do not provide near real time detection and remediation, or do not provide a centralized dashboard for tracking.

Option A is not optimal because CloudFormation drift detection is not a near real time solution. Drift detection has to be manually initiated on each stack or resource, or scheduled using a cron expression. Drift detection also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. CloudWatch Logs and dashboard can be used for tracking, but they do not provide a comprehensive view of the security posture of the AWS accounts and resources.

Option B is not optimal because CloudTrail logs analysis using Athena is not a near real time solution. Athena queries have to be manually run or scheduled using a cron expression. Athena also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. Step Functions can be used to orchestrate the query and remediation workflow, but it adds more complexity and cost. QuickSight dashboard can be used for tracking, but it does not provide a comprehensive view of the security posture of the AWS accounts and resources.

Option D is not optimal because CloudTrail logs analysis using CloudWatch Logs is not a near real time solution. CloudWatch Logs filters have to be manually created or updated for each resource type and configuration change. CloudWatch Logs also does not provide remediation actions, so a custom Lambda function has to be developed and invoked. EventBridge can be used to trigger the Lambda function, but it adds more complexity and cost. OpenSearch Service dashboard can be used for tracking, but it does not provide a comprehensive view of the security posture of the AWS accounts and resources.

AWS Config conformance packs

Introducing AWS Config conformance packs

Managing conformance packs across all accounts in your organization

by Belen at Dec 10, 2023, 07:17 AM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Regenia

3 months ago

I think B might miss the real-time aspect.

upvoted 0 times

...

Berry

3 months ago

C looks solid too, but it feels more complex.

upvoted 0 times

...

Vilma

3 months ago

Wait, can Lambda really fix issues that fast?

upvoted 0 times

...

Katlyn

4 months ago

Totally agree, less overhead is key!

upvoted 0 times

...

Jose

4 months ago

Option A seems the simplest with CloudFormation drift detection.

upvoted 0 times

...

Clay

4 months ago

I lean towards option A because it seems straightforward with CloudFormation, but I’m a bit hesitant about how well the Lambda function will integrate for remediation.

upvoted 0 times

...

Iraida

4 months ago

I feel like using AWS CloudTrail and analyzing logs could work, but I don't recall if CloudWatch Logs can handle drift detection effectively.

upvoted 0 times

...

Andrew

4 months ago

I think option C sounds familiar from our practice questions. AWS Config seems like a solid choice for tracking compliance, but I'm unsure about the conformance packs.

upvoted 0 times

...

Tawny

5 months ago

I remember we discussed using AWS CloudFormation for compliance, but I'm not sure if drift detection is the best approach for real-time remediation.

upvoted 0 times

...

Nobuko

5 months ago

This is a great question that really tests our understanding of AWS services and how to integrate them to meet specific requirements. I think I'll start by mapping out the key requirements and then systematically evaluating each of the options to determine the one that best meets them with the least development overhead.

upvoted 0 times

...

Leila

5 months ago

I'm a little confused by all the different AWS services mentioned in the question. I'll need to do some research on each one to understand how they work and how they could be used to solve this problem. Hopefully, I can figure out the best solution.

upvoted 0 times

...

Harris

5 months ago

Okay, I think I've got a good handle on this. Option A using CloudFormation drift detection and a Lambda function for remediation seems like the simplest and most straightforward solution that meets all the requirements. I'll focus on that approach.

upvoted 0 times

...

Marge

5 months ago

Hmm, this is a tricky one. There are a few different AWS services mentioned that could potentially be used to meet the requirements. I'll need to weigh the pros and cons of each approach to determine the one with the least development overhead.

upvoted 0 times

...

Jules

5 months ago

This looks like a pretty straightforward question, but I'll need to carefully read through the requirements to make sure I understand them fully before deciding on a solution.

upvoted 0 times

...

Terrilyn

5 months ago

Hmm, I'm not sure about this one. Configuring Docker without a trusted TLS certificate sounds risky. I'll need to think this through carefully.

upvoted 0 times

...

Lemuel

5 months ago

Hmm, not sure about this one. I'll have to think through the different ways recognition programs could impact the business. Let me re-read the options and see if I can spot the most important one.

upvoted 0 times

...

Aleisha

5 months ago

This one seems pretty straightforward. I'd go with Service desk - that's where you'd expect to see a lot of AI and automation to handle common requests.

upvoted 0 times

...

Mona

2 years ago

Haha, I'm just imagining the support team trying to troubleshoot issues using the AWS Management Console. That's like trying to fix a car by kicking the tires. Anyway, I think the Config and Security Hub solution is the way to go. It's the most comprehensive and should meet the requirements with the least ongoing maintenance.

upvoted 0 times

...

Galen

2 years ago

The CloudTrail and OpenSearch Service approach is interesting, but I'm not sure how well it would scale across multiple accounts. The Config and Security Hub solution seems like the most turnkey option, even if it has a higher initial setup cost. Besides, I like the idea of a centralized dashboard for tracking.

upvoted 0 times

...

Benton

2 years ago

I agree, the CloudFormation solution sounds promising, but the remediation timeline might be a challenge. The Config and Security Hub option seems more comprehensive, but it might have a higher setup overhead. I'm leaning towards that one, but I'd like to hear what the others think.

upvoted 0 times

...

Corazon

2 years ago

Hmm, this is a tricky question. CloudFormation drift detection seems like a good option, but I'm not sure if it can handle the 15-minute remediation requirement. The Athena and CloudWatch Logs approach could work, but it might be overkill for this use case.

upvoted 0 times

Ranee

2 years ago

B: It looks like we're all leaning towards Option A as the solution that meets the requirements with the least development overhead.

upvoted 0 times

...

Jody

2 years ago

C: I see your point. Option A does seem like a reliable choice for enforcing security standards across the organization.

upvoted 0 times

...

Phil

2 years ago

A: Exactly. Option A provides real-time identification of misconfigurations and automated remediation, which is crucial for maintaining security standards.

upvoted 0 times

...

Pete

2 years ago

D: I think Option A can handle the 15-minute requirement if set up properly. It's a good balance of efficiency and simplicity.

upvoted 0 times

...

Audria

2 years ago

C: But what about the 15-minute automatic remediation requirement? Do you think Option A can meet that?

upvoted 0 times

...

Rozella

2 years ago

B: I agree. Option A seems to be the most straightforward solution with minimal development overhead.

upvoted 0 times

...

Regenia

2 years ago

A: Option A seems like the best choice. CloudFormation drift detection coupled with Lambda function for remediation sounds efficient.

upvoted 0 times

...