A company's director of information security wants a daily email report from AWS that contains recommendations for each company account to meet AWS Security best practices. Which solution would meet these requirements?
A.
In every AWS account, configure AWS Lambda to query the AWS Support API for AWS Trusted Advisor security checks. Send the results from Lambda to an Amazon SNS topic to send reports.
B.
Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account. Use GuardDuty's integration with Amazon SNS to report on findings.
C.
Use Amazon Athena and Amazon QuickSight to build reports off of AWS CloudTrail. Create a daily Amazon CloudWatch trigger to run the report daily and email it using Amazon SNS.
D.
Use AWS Artifact's prebuilt reports and subscriptions. Subscribe the director of information security to the reports by adding the director as the security alternate contact for each account.
As per the docs:
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. You can then follow the recommendations to optimize your services and resources.
A would provide 'recommendations' for 'best practices'. D might provided some recommendations, but I can't see a prebuild report being as actionable. I'd use AWS Artifact for accessing compliance documents and certificates.
A. In every AWS account, configure AWS Lambda to query the AWS Support API for AWS Trusted Advisor security checks. Send the results from Lambda to an Amazon SNS topic to send reports.
This solution allows you to automate the process by using AWS Lambda to query the AWS Support API for Trusted Advisor security checks. The results can then be sent to an Amazon SNS topic, which can be subscribed to by the director of information security. This way, the director will receive a daily email report containing recommendations for each company account to meet AWS security best practices.
AWS Artifact provides access to various prebuilt reports that contain important compliance and security information. These reports can be subscribed to and received via email. By subscribing the director of information security as the security alternate contact for each AWS account, they will receive the prebuilt reports on a regular basis, including recommendations for meeting AWS Security best practices.
Option A suggests using AWS Lambda to query the AWS Support API for Trusted Advisor security checks and sending the results via Amazon SNS. While this approach can provide insights into security best practices, it does not offer a prebuilt report specifically tailored for the purpose.
Option D (Use AWS Artifact's prebuilt reports and subscriptions) is more focused on accessing compliance reports rather than providing daily reports with recommendations for security best practices.
The answer is A due to the business use case. For example, Trusted Advisor can be used to send weekly or daily reports to your Chief Information Officer. Trusted Advisor is designed for internal IT compliance and best practices. However, AWS Artifact provides on demand access to AWS compliance documents which are better suited for auditors external to the business. PCI, SOX, NERC, NIST etc.
A
In this solution, AWS Lambda is used to query the AWS Support API for AWS Trusted Advisor security checks in every AWS account. The results are then sent to an Amazon SNS topic, which sends daily email reports to the director of information security. AWS Trusted Advisor provides best practice recommendations across multiple categories such as security, cost optimization, and fault tolerance. This makes it a suitable service for providing security recommendations.
Option D would be the best solution for the requirements. AWS Artifact provides a set of prebuilt reports that help customers understand and demonstrate their compliance with security and compliance regulations. These reports cover a range of services such as Amazon S3, Amazon EC2, AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), and more.
To meet the requirements, the director of information security can be added as the security alternate contact for each AWS account. This would allow the director to receive the prebuilt reports via email. The reports can be scheduled to be delivered daily, and they include recommendations for each service to meet AWS security best practices. This solution is easy to set up and provides the required daily reports without the need for additional configuration or custom code.
Answer is A : AWS Artifact does not provide security best practices recommendations ,and there is no need to add the director as the backup of the security engineer. Option A uses AWS Trusted Advisor and uses lambda and SNS to automate the reporting part.
A. If you have a Basic or Developer Support plan, you can use the Trusted Advisor console to access all checks in the Service Limits category and six checks in the Security category.
If you have a Business or Enterprise Support plan, you can use the Trusted Advisor console and the AWS Support API to access all Trusted Advisor checks. You also can use Amazon CloudWatch Events to monitor the status of Trusted Advisor checks. For more information, see Monitoring Trusted Advisor check results with Amazon CloudWatch Events.
https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
sanjaym
Highly Voted 3 years, 6 months agocldy
Highly Voted 3 years, 6 months agoRaphaello
Most Recent 1 year, 1 month agoGreen53
1 year, 10 months agosamCarson
1 year, 10 months agopal40sg
1 year, 11 months agodanielklein09
1 year, 10 months agopal40sg
1 year, 11 months agosamCarson
1 year, 10 months agoKezuko
1 year, 12 months agoITGURU51
2 years agoNikhil0222
2 years agoMaya77
2 years, 2 months agonairj
2 years agoude
2 years, 8 months agokiev
3 years, 5 months agoDahMac
3 years, 5 months agoAppSecurity
3 years, 6 months agouninit
3 years, 3 months agoChinkSantana
3 years, 6 months agoDayQuil
3 years, 6 months agokk3322
3 years, 7 months agoviestner
3 years, 6 months ago