What should the security engineer do next to meet these requirements?
Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricted-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered.
Configure an Amazon EventBridge (Amazon CloudWatch Events) event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.
Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.
Configure an Amazon CloudWatch alarm on the CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state.
Explanations:
This option involves using an S3 bucket to store AWS Config snapshots and triggers a Lambda function on S3 events. However, this method is not the most efficient for monitoring compliance changes from AWS Config, as AWS Config can directly publish compliance changes without needing to store snapshots in S3. This adds unnecessary complexity and latency to the notification process.
This option leverages Amazon EventBridge to directly respond to compliance change events from AWS Config for the restricted-ssh managed rule. By configuring an EventBridge rule to target an SNS topic, the company will receive near-real-time notifications of compliance changes, effectively meeting the requirement. This is the most straightforward and efficient method to achieve real-time notifications.
This option requires sending AWS Config compliance notifications to CloudWatch Logs and then setting up a metric filter and alarm. While it could work, it introduces unnecessary complexity and delay compared to using EventBridge. Additionally, it does not provide the immediate notification capability as effectively as the EventBridge solution.
This option suggests creating a CloudWatch alarm on a metric for the restricted-ssh managed rule. However, AWS Config rules do not directly create CloudWatch metrics for compliance changes. This means there would be no metrics to monitor, making this option incorrect for real-time compliance notifications.