What combination of actions should the Engineer take?
(Choose two.)
Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
Create an AWS Config configuration item for each VPC in the company AWS account.
Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.
Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
Explanations:
An AWS Lambda function can be used to determine if Flow Logs are enabled for a VPC by programmatically checking the configuration of each VPC’s flow logs settings.
AWS Config configuration items can track resources, but this option alone doesn’t audit whether Flow Logs are enabled. It is a prerequisite for creating rules but doesn’t directly perform compliance checks.
AWS Config managed rules are not used to evaluate Lambda functions. The correct approach is to use AWS Config managed rules for resource compliance, but Lambda functions need to be invoked through custom rules.
CloudWatch Events are useful for triggering actions based on AWS Config events, but this option alone does not ensure the auditing of VPC flow log compliance. It’s supplementary to the main compliance check.
An AWS Config custom rule can use a Lambda function to evaluate whether VPC Flow Logs are enabled. This is the proper combination to automate auditing VPCs for compliance.
It seems to me that the answer is:
Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.