Which combination of steps should the security engineer take to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company has a requirement that none of its Amazon RDS resources can be publicly accessible.A security engineer needs to set up monitoring for this requirement and must receive a near-real-time notification if any RDS resource is noncompliant.

Which combination of steps should the security engineer take to meet these requirements?

(Choose three.)

Configure RDS event notifications on each RDS resource. Target an AWS Lambda function that notifies AWS Config of a change to the RDS public access setting

Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.

Configure the Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.

Configure RDS event notifications to post events to an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the SQS queue to an Amazon Simple Notification Service (Amazon SNS) topic to provide a notification to the security engineer.

Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked by a compliance change event from the rds-instance-public-access-check rule.

Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that is invoked when the AWS Lambda function notifies AWS Config of an RDS event change.

Explanations:

While configuring RDS event notifications can alert on changes, it does not provide a direct compliance check or ensure near-real-time notification for noncompliance with public accessibility. This option alone does not fulfill the requirement of monitoring for compliance.

The rds-instance-public-access-check AWS Config managed rule actively monitors RDS instances for compliance regarding their public accessibility setting, which directly aligns with the requirement to ensure none of the resources are publicly accessible.

Configuring an Amazon EventBridge rule to target an SNS topic allows for immediate notifications to the security engineer when a change in compliance is detected, thus providing near-real-time alerts as required.

This approach, involving SQS and SNS, introduces unnecessary complexity. While it can send notifications, it does not directly monitor compliance or provide real-time alerts based on the RDS public access setting.

This option directly connects the compliance change detected by the AWS Config rule to a notification system, ensuring that any noncompliance regarding public accessibility is flagged in near-real-time, which meets the requirement.

While this option involves a Lambda function, it relies on notifications from the function to AWS Config, which is not necessary since the AWS Config rule can directly trigger notifications. This adds unnecessary steps and complexity to the monitoring process.

2026-04-05

2 Comments

  1. Billy
    Author

    If I’m not mistaken, the answer is:
    Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.

  2. Sean
    Author

    My best guess is:
    Configure the rds-instance-public-access-check AWS Config managed rule to monitor the RDS resources.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × five =