What should a security engineer do to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company uses AWS CodePipeline for its software builds.Company policy mandates that code must be deployed to the staging environment before it is deployed to the production environment.The company needs to implement monitoring and alerting to detect when a CodePipeline pipeline is used to deploy code to production without the code first being deployed to staging.

What should a security engineer do to meet these requirements?

Enable Amazon GuardDuty to monitor AWS CloudTrail for CodePipeline. Configure findings through AWS Security Hub, and create a custom action in Security Hub to send to Amazon Simple Notification Service (Amazon SNS).

Use the AWS Cloud Development Kit (AWS CDK) to model reference-architecture CodePipeline pipeline that deploys application code through the staging environment and then the production environment.

Turn on AWS Config recording. Use a custom AWS Config rule to examine each CodePipeline pipeline for compliance. Configure an Amazon Simple Notification Service (Amazon SNS) notification on any change that is not in compliance with the rule. Add the desired receiver of the notification as a subscriber to the SNS topic.

Use Amazon Inspector to conduct an assessment of the CodePipeline pipelines and send a notification upon the discovery of a pipeline that is not in compliance. Add the desired receiver of the notification as a subscriber to the Amazon Simple Notification Service (Amazon SNS) topic.

Explanations:

Amazon GuardDuty is a threat detection service that monitors for suspicious activity but does not specifically monitor AWS CodePipeline workflows for compliance with staging and production deployment requirements. It would not be able to track deployment sequences directly.

The AWS Cloud Development Kit (AWS CDK) is used to model and deploy infrastructure but does not directly provide a mechanism to monitor CodePipeline execution or enforce a deployment sequence like staging before production.

AWS Config can be used to create custom rules that examine AWS resource configurations, including CodePipeline. A custom rule can be created to ensure that CodePipeline deploys to staging before production, and SNS can be used to alert on non-compliance.

Amazon Inspector is a security assessment service designed to scan for vulnerabilities in Amazon EC2 instances, not for monitoring CodePipeline compliance with deployment policies. It does not monitor or enforce pipeline deployment orders.

2025-09-30

1 Comment

  1. Aaron
    Author

    I chart that the answer is:
    Turn on AWS Config recording. Use a custom AWS Config rule to examine each CodePipeline pipeline for compliance. Configure an Amazon Simple Notification Service (Amazon SNS) notification on any change that is not in compliance with the rule. Add the desired receiver of the notification as a subscriber to the SNS topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 − 4 =