What solution ensures the LEAST amount of downtime for the CloudTrail log deliveries?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the CloudTrail StopLogging event. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.
Deploy the AWS-managed CloudTrail-enabled AWS Config rule, set with a periodic interval of 1 hour. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for AWS Config rules compliance change. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule for a scheduled event every 5 minutes. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on a CloudTrail trail in the AWS account. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.
Launch a t2.nano instance with a script running every 5 minutes that uses the AWS SDK to query CloudTrail in the current account. If the CloudTrail trail is disabled, have the script re-enable the trail.
Explanations:
EventBridge rule can capture the StopLogging event and trigger a Lambda function to call StartLogging immediately, ensuring minimal downtime.
AWS Config rule with a 1-hour periodic interval may delay remediation for up to 1 hour, which is not the least downtime solution.
A 5-minute scheduled EventBridge rule could cause unnecessary checks and delays, leading to less efficient remediation compared to event-driven solutions.
Running a t2.nano instance with a script every 5 minutes adds unnecessary complexity and cost. EventBridge with Lambda is more efficient and scalable.
From my perspective, the answer is:
Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the CloudTrail StopLogging event. Create an AWS Lambda function that uses the AWS SDK to call StartLogging on the ARN of the resource in which StopLogging was called. Add the Lambda function ARN as a target to the EventBridge (CloudWatch Events) rule.