A SysOps administrator has enabled AWS CloudTrail in an AWS account. If CloudTrail is disabled, it must be re-enabled immediately. What should the SysOps administrator do to meet these requirements WITHOUT writing custom code?
A.
Add the AWS account to AWS Organizations. Enable CloudTrail in the management account.
B.
Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
C.
Create an AWS Config rule that is invoked when CloudTrail configuration changes. Configure the rule to invoke an AWS Lambda function to enable CloudTrail.
D.
Create an Amazon EventBridge (Amazon CloudWatch Event) hourly rule with a schedule pattern to run an AWS Systems Manager Automation document to enable CloudTrail.
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action. Most Voted
Explanation:
Option B directly addresses the requirement to re-enable CloudTrail without writing custom code. By using an AWS Config rule with an automatic remediation action, it ensures that CloudTrail is enabled whenever its configuration changes, thus meeting the requirement efficiently.
Why not the others?
A: Adding the account to AWS Organizations and enabling CloudTrail in the management account does not ensure immediate re-enablement of CloudTrail in the specific account.
C: This option involves invoking a Lambda function, which implies writing custom code, contrary to the requirement.
D: While using EventBridge could work, it introduces unnecessary complexity and does not directly address the immediate need to re-enable CloudTrail without custom code.
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
B. Create an AWS Config rule that is invoked when CloudTrail configuration changes. Apply the AWS-ConfigureCloudTrailLogging automatic remediation action.
Option B allows for automatic remediation of CloudTrail configuration changes. By creating an AWS Config rule with the AWS-ConfigureCloudTrailLogging remediation action, you can ensure that if CloudTrail is ever disabled, it will be automatically re-enabled.
Option A (adding the AWS account to AWS Organizations and enabling CloudTrail in the management account) is not directly related to re-enabling CloudTrail if it's disabled.
Option C (creating an AWS Config rule to invoke a Lambda function) would require writing custom code, which is specifically mentioned as not being allowed in the question.
Option D (creating an Amazon EventBridge rule with an Automation document) would also require custom code through AWS Systems Manager Automation documents, which is not allowed as per the question's constraints.
B ... https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html
The answer is B. I did not know that AWS-ConfigureCloudTrailLogging exist in AWS Systems Manager until I checked too. You can find it in Systems Manager -> Documents, then check Automation documents box under Categories session, then you will see "AWS-ConfigureCloudTrailLogging". In fact, if you click on AWS-ConfigureCloudTrailLogging link, you will see a state machine visual that explains how to use this automation.
It does...
Login to account > AWS Systems Manager > Documents (Under shared resources)
All documents then search for key word "AWS-ConfigureCloudTrailLogging"
It does...
Login to account > AWS Systems Manager > Documents (Under shared resources)
All documents then search for key word "AWS-ConfigureCloudTrailLogging"
I have a hard time voting for "B" just because there is no "AWS-ConfigureCloudTrailLogging" Config rule, SSM Document, SSM Runbook, SSM Automation. There is a SSM "Runbook" named "AWS-EnableCloudTrail" that I presume wold make "D" work, but it seems kludgy to check hourly for something that could be automated to turn on when it's turned off with no wait period. Not sure if this is a trick question or just a poorly worded question. "B" is wrong if you take the wording literally. If you presume they really meant to say was to use "cloudtrail-enabled" config rule, then it might be correct. But that is NOT what it says.
B But i would use SCP to prevent any disabling action. https://aws.amazon.com/es/blogs/industries/best-practices-for-aws-organizations-service-control-policies-in-a-multi-account-environment/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ogum
2 days agoexamaws
1 month, 2 weeks ago64rl0
5 months agoRabbit117
1 year, 1 month agoNAVADIYA
1 year, 3 months agoarana1992
1 year, 3 months agocallspace
1 year, 4 months agomarcoeu
1 year, 4 months agobakamon
1 year, 7 months agoAgboolaKun
8 months, 3 weeks agoelanelans
1 year, 6 months agomamila
1 year, 8 months agoelanelans
1 year, 6 months agoGomer
1 year, 9 months agoCVDON
1 year, 12 months agomichaldavid
2 years, 2 months agoLiongeek
2 years, 2 months agoSurferbolt
2 years, 4 months agoYoyo76
2 years, 7 months agoceros399
2 years, 8 months ago