Which solution will meet this requirement with the LEAST operational effort?
Create an Amazon CloudWatch alarm that enters ALARM state when security groups change. Configure the alarm to invoke an AWS Lambda function that connects to ServiceNow to create an incident.
Enable AWS Security Hub. Create an AWS Lambda function that connects to ServiceNow to create an incident. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as Security Hub Findings – Custom Action. Configure the EventBridge rule to invoke the Lambda function.
Create an Amazon EventBridge rule to detect security group changes. Configure the event type as AWS API Call via CloudTrail. Configure the EventBridge rule to run the AWS-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow.
Launch an Amazon EC2 instance that has a persistent connection to ServiceNow to detect security group changes. Export AWS CloudTrail logs to the EC2 instance. Write a bash script to run a scheduled cron job every 30 minutes to search the CloudTrail logs for security groups changes. Configure the EC2 instance to create an incident in ServiceNow when a change is detected.
Explanations:
CloudWatch Alarms are designed to monitor metrics, not specific API calls or configuration changes. Security group changes are API calls logged in CloudTrail, not metrics, so this setup would not trigger as required.
Although Security Hub and EventBridge can handle security findings, this solution is overly complex and involves custom actions unnecessarily. Security Hub findings are not directly tied to security group change events, which makes this setup inefficient and more complex than needed.
EventBridge can directly detect specific CloudTrail API calls, such as changes to security group configurations. Configuring it with AWS Systems Manager Automation’s built-in ServiceNow runbook provides an efficient, automated way to create incidents in ServiceNow with minimal operational effort.
Using an EC2 instance with a cron job to analyze CloudTrail logs is unnecessarily complex and involves high operational overhead. This solution requires custom scripting and instance maintenance, making it inefficient and harder to manage compared to native AWS services.
As far as I can tell, the answer is:
Create an Amazon EventBridge rule to detect security group changes. Configure the event type as AWS API Call via CloudTrail. Configure the EventBridge rule to run the AWS-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow.