Which solution will meet these requirements?

By:
On:
In: DOP-C02
Tagged:
With: 0 Comments
A company requires its developers to tag all Amazon Elastic Block Store (Amazon EBS) volumes in an account to indicate a desired backup frequency.This requirement Includes EBS volumes that do not require backups.The company uses custom tags named Backup_Frequency that have values of none, dally, or weekly that correspond to the desired backup frequency.An audit finds that developers are occasionally not tagging the EBS volumes.A DevOps engineer needs to ensure that all EBS volumes always have the Backup_Frequency tag so that the company can perform backups at least weekly unless a different value is specified.

Which solution will meet these requirements?

Set up AWS Config in the account. Create a custom rule that returns a compliance failure for all Amazon EC2 resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.

Set up AWS Config in the account. Use a managed rule that returns a compliance failure for EC2::Volume resources that do not have a Backup Frequency tag applied. Configure a remediation action that uses a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly.

Turn on AWS CloudTrail in the account. Create an Amazon EventBridge rule that reacts to EBS CreateVolume events. Configure a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly. Specify the runbook as the target of the rule.

Turn on AWS CloudTrail in the account. Create an Amazon EventBridge rule that reacts to EBS CreateVolume events or EBS ModifyVolume events. Configure a custom AWS Systems Manager Automation runbook to apply the Backup_Frequency tag with a value of weekly. Specify the runbook as the target of the rule.

Explanations:

While AWS Config can be used to check for the presence of tags, using a custom rule and a Systems Manager Automation runbook is not necessary because AWS provides managed rules that can simplify compliance checks and remediations. Additionally, there’s no direct link to the volume creation events that need to be monitored.

This option uses AWS Config with a managed rule specifically designed to check for the presence of the Backup_Frequency tag on EC2::Volume resources. It also allows for automatic remediation using a Systems Manager Automation runbook to apply the tag with a default value of weekly, ensuring compliance effectively.

Turning on AWS CloudTrail and creating an EventBridge rule for EBS CreateVolume events does not ensure that existing volumes are tagged correctly or manage compliance over time. This option would only address new volume creation, not existing volumes that lack the tag.

Similar to option C, while this option includes both CreateVolume and ModifyVolume events, it still only addresses the tagging of newly created or modified volumes and does not ensure that all existing volumes are properly tagged or checked for compliance. It does not provide a comprehensive solution for ongoing compliance with the tagging requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *

15 + twelve =