Which strategies should a Solutions Architect use to meet the business requirements and continuously assess, audit, and monitor the configurations of AWS resources?
(Choose two.)
Use AWS Config rules to periodically audit changes to AWS resources and monitor the compliance of the configuration. Develop AWS Config custom rules using AWS Lambda to establish a test-driven development approach, and further automate the evaluation of configuration changes against the required controls.
Use Amazon CloudWatch Logs agent to collect all the AWS SDK logs. Search the log data using a pre-defined set of filter patterns that matches mutating API calls. Send notifications using Amazon CloudWatch alarms when unintended changes are performed. Archive log data by using a batch export to Amazon S3 and then Amazon Glacier for a long-term retention and auditability.
Use AWS CloudTrail events to assess management activities of all AWS accounts. Ensure that CloudTrail is enabled in all accounts and available AWS services. Enable trails, encrypt CloudTrail event log files with an AWS KMS key, and monitor recorded activities with CloudWatch Logs.
Use the Amazon CloudWatch Events near-real-time capabilities to monitor system events patterns, and trigger AWS Lambda functions to automatically revert non-authorized changes in AWS resources. Also, target Amazon SNS topics to enable notifications and improve the response time of incident responses.
Use CloudTrail integration with Amazon SNS to automatically notify unauthorized API activities. Ensure that CloudTrail is enabled in all accounts and available AWS services. Evaluate the usage of Lambda functions to automatically revert non-authorized changes in AWS resources.
Explanations:
AWS Config rules allow for continuous monitoring and compliance assessment of AWS resources. Custom rules can be developed using AWS Lambda to automate evaluations against compliance standards, aligning with the framework for validating AWS best practices.
While using Amazon CloudWatch Logs can help monitor logs, it does not directly audit configurations of AWS resources. The approach described focuses more on tracking API call activities rather than ensuring compliance with configurations.
AWS CloudTrail captures all management events across AWS accounts, providing a comprehensive audit trail of changes and configurations. Enabling encryption and monitoring with CloudWatch Logs enhances the security and auditability of the CloudTrail logs, meeting the requirement for continuous assessment.
Although using CloudWatch Events and Lambda functions can help respond to unauthorized changes, it does not provide a continuous assessment or auditing mechanism for compliance. It focuses on reactive measures rather than proactive monitoring of configurations.
Similar to option D, while CloudTrail integration with SNS can notify unauthorized API activities, it lacks a comprehensive mechanism for ongoing configuration auditing and compliance assessment. The emphasis is on notifications rather than continuous monitoring and evaluation.