Which solution will meet these requirements with the LEAST development overhead?
Use CloudFormation drift detection to identify noncompliant resources. Use drift detection events from CloudFormation to invoke an AWS Lambda function for remediation. Configure the Lambda function to publish logs to an Amazon CloudWatch Logs log group. Configure an Amazon CloudWatch dashboard to use the log group for tracking.
Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon Athena to identify noncompliant resources. Use AWS Step Functions to track query results on Athena for drift detection and to invoke an AWS Lambda function for remediation. For tracking, set up an Amazon QuickSight dashboard that uses Athena as the data source.
Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the –no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.
Turn on AWS CloudTrail in the AWS accounts. Analyze CloudTrail logs by using Amazon CloudWatch Logs to identify noncompliant resources. Use CloudWatch Logs filters for drift detection. Use Amazon EventBridge to invoke the Lambda function for remediation. Stream filtered CloudWatch logs to Amazon OpenSearch Service. Set up a dashboard on OpenSearch Service for tracking.
Explanations:
While CloudFormation drift detection can identify configuration drift, it is not specifically designed for continuous monitoring of noncompliance across all services. Additionally, using drift detection events for automated remediation may not always address the broader compliance needs efficiently within the 15-minute requirement. The solution lacks a centralized tracking mechanism that captures noncompliant events in real time.
Although using AWS CloudTrail and Amazon Athena can identify noncompliant resources, the reliance on Athena queries for real-time monitoring is inefficient and not immediate. This solution may not consistently detect and remediate issues within the 15-minute window, and tracking through QuickSight could add complexity and delays, as it requires manual setup of dashboards based on query results.
This option effectively leverages AWS Config to continuously monitor resource compliance against defined rules, and it enables automatic remediation through AWS Config conformance packs. By utilizing AWS Security Hub for tracking compliance status and events, it provides a centralized view with accurate timestamps, meeting the requirement for near real-time identification and remediation of noncompliance.
Although AWS CloudTrail can provide logs of resource activities, relying solely on CloudWatch Logs for drift detection is not optimal for compliance monitoring. This option may result in delays in detecting noncompliance and requires additional complexity to manage OpenSearch Service for tracking, which does not provide the centralized and immediate visibility needed for effective compliance management.
I categorize that the answer is:
Turn on the configuration recorder in AWS Config in all the AWS accounts to identify noncompliant resources. Enable AWS Security Hub with the –no-enable-default-standards option in all the AWS accounts. Set up AWS Config managed rules and custom rules. Set up automatic remediation by using AWS Config conformance packs. For tracking, set up a dashboard on Security Hub in a designated Security Hub administrator account.