What should the security engineer do to meet these requirements with the LEAST amount of effort?
Use AWS CloudTrail to monitor accounts for noncompliant configurations. Use AWS Lambda functions to evaluate configuration state and perform automated remediation actions.
Use AWS Config rules to monitor accounts for noncompliant configurations. Use AWS Systems Manager Automation to perform automated remediation actions.
Use Amazon GuardDuty to monitor accounts for noncompliant configurations. Use AWS Lambda function to perform automated remediation actions.
Use AWS Systems Manager Compliance to monitor accounts for noncompliant configurations. Use Systems Manager Automation to perform automated remediation actions.
Explanations:
AWS CloudTrail monitors API activity, not configuration compliance. Lambda can perform remediation, but this approach is not ideal for configuration monitoring.
AWS Config rules can monitor noncompliant configurations. AWS Systems Manager Automation can automatically remediate issues. This is the most efficient solution for the given task.
Amazon GuardDuty is used for threat detection, not configuration monitoring. Lambda can perform remediation, but GuardDuty is not designed for this purpose.
AWS Systems Manager Compliance tracks patch compliance, not configuration compliance for services like EBS or EC2. Automation can remediate, but it is not ideal for configuration monitoring.
My best guess is:
Use AWS Config rules to monitor accounts for noncompliant configurations. Use AWS Systems Manager Automation to perform automated remediation actions.
As far as I’m aware, the answer is:
Use AWS Config rules to monitor accounts for noncompliant configurations. Use AWS Systems Manager Automation to perform automated remediation actions.