Which solution will meet these requirements in the MOST operationally efficient manner?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company is implementing new compliance requirements to meet customer needs.According to the new requirements, the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage.The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created.The solution also must terminate the unencrypted DB instance or DB cluster.

Which solution will meet these requirements in the MOST operationally efficient manner?

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure an automatic remediation action to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an AWS Config managed rule to detect unencrypted RDS storage. Configure a manual remediation action to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic that includes an AWS Lambda function and an email delivery target as subscribers. Configure the Lambda function to delete the unencrypted resource.

Create an Amazon EventBridge rule that evaluates RDS event patterns and is initiated by the creation of DB instances or DB clusters. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic and to delete the unencrypted resource.

Explanations:

AWS Config can detect unencrypted RDS storage. By configuring an automatic remediation action, AWS Lambda can be triggered to both send an email (via SNS) and delete the unencrypted DB instance, fulfilling both the monitoring and termination requirements in an operationally efficient manner.

While AWS Config can detect unencrypted storage, a manual remediation action requires human intervention to invoke the Lambda function. This doesn’t meet the requirement for an automated solution.

EventBridge can detect DB instance creation, but the Lambda function here would publish to SNS before deleting the unencrypted DB resource. This approach doesn’t fully automate the remediation as required because it involves multiple steps that aren’t streamlined.

Although EventBridge and Lambda are correct choices, publishing messages to SNS isn’t necessary. The requirement is to immediately delete the unencrypted DB instance or DB cluster, which can be done directly by the Lambda function without involving SNS for alerts.

Leave a Reply

Your email address will not be published. Required fields are marked *

three × four =