Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 219 discussion

Both B and D work, except B has no notification set. https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/

I vote D. aws config changes can be sent to SNS topic https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html

B is faster

Both B and D works. But the question is asking for FASTEST. For cloudTrail, you need: CloudTrail → CloudWatch Logs → CloudWatch Metric Filter → CloudWatch Alarm → SNS Notification For aws Config, it natively support integration with SNS. Hence we should choose D

I'm leaning towards D, but looks what it says in this blog: https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/ For the Config option, it says: "The use of AWS Config in Method 1 allows for the configuration of a security group to be tracked along with other AWS resources. Changes to the security group’s configuration are reported during the next Config compliance evaluation, typically within 10 minutes" and for the CloudTrail option it says: "The use of CloudTrail and CloudWatch Events in Method 2 allows for the near real-time detection of API calls that could change the configuration of a VPC security group" So it seems clear cut to me that the answer is B, although if I hadn't seen this blog I would've picked D probably

For me the answer is B. Here we are talking about "tracking al changes" and "notify for non-compliant". It's certainly a very ambiguous question that the folks at AWS could have spared us, but for me (and for chat-gpt) B is the answer :)

D: AWS Config provides rules to detect non-complaint config B: Can track all event however doesn't provide native support for rules to detect non-complaint changes

In my opinion, the question asks for (1) a “system that tracks CHANGES” and (2) asks to “send alerts when the engineers make NONCOMPLIANT CHANGES,” I would choose B since B satisfies the first condition and D does not. B: implies that CloudTrail tracks all changes. D: states that Config will only track noncompliant changes, but question is asking for all changes. But overall this is just another poorly constructed and ambiguous question and answer, which seems to be the norm with these lol

B is ans https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/ Speed: Implementing CloudTrail and CloudWatch is faster than setting up AWS Organizations or using SCPs. You can do it in minutes without modifying the entire account structure or deploying additional resources. Granularity: CloudTrail and CloudWatch offer fine-grained control over monitoring and alerting, allowing you to define specific rules for noncompliant security settings. Flexibility: You can easily adapt the CloudWatch rules to different types of noncompliance and adjust the alerts to suit your notification needs. Existing infrastructure: If the company already uses CloudTrail for logging, setting up CloudWatch rules is a natural extension without requiring significant changes.

Answer D. AWS Config is perfect to track config changes. SNS for notification.

B is better option than D. D only sends an SNS alert when there are non-compliant changes. It does not allow you to actually track each and every changes engineers make.

It's D https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html

Correct D.

D works and faster B would work with adding a CW alert, but D still better

correct is D

D reference link https://aws.amazon.com/es/blogs/industries/how-to-monitor-alert-and-remediate-non-compliant-hipaa-findings-on-aws/

It's D. Check this link, something similar: https://aws.amazon.com/blogs/industries/how-to-monitor-alert-and-remediate-non-compliant-hipaa-findings-on-aws/