Which solution should the solutions architect implement?
Create an AWS CodeCommit repository containing policy-compliant AWS CloudFormation templates. Create an AWS Service Catalog portfolio. Import the CloudFormation templates by attaching the CodeCommit repository to the portfolio. Restrict users across all accounts to items from the AWS Service Catalog portfolio. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule for deviations, and associate a CloudWatch alarm to send notifications when the TriggeredRules metric is greater than zero.
Use AWS Service Catalog to build a portfolio with products that are in compliance with the governance policies in a central account. Restrict users across all accounts to AWS Service Catalog products. Share a compliant portfolio to other accounts. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule to send a notification when a deviation occurs.
Implement policy-compliant AWS CloudFormation templates for each account, and ensure that all provisioning is completed by CloudFormation. Configure Amazon Inspector to perform regular checks against resources. Perform policy validation and write the assessment output to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to increment a metric when a deviation occurs. Configure a CloudWatch alarm to send notifications when the configured metric is greater than zero.
Restrict users and enforce least privilege access using AWS IAM. Consolidate all AWS CloudTrail logs into a single account. Send the CloudTrail logs to Amazon Elasticsearch Service (Amazon ES). Implement monitoring, alerting, and reporting using the Kibana dashboard in Amazon ES and with Amazon SNS.
Explanations:
AWS Service Catalog is used for organizing CloudFormation templates, but it doesn’t directly address the need for security policy enforcement (like blocking ingress from port 22). AWS Config and CloudWatch are good for detecting and notifying policy violations, but this option does not comprehensively implement the necessary preventive controls for security governance policies.
AWS Service Catalog allows the creation of compliant products that can be shared across accounts. It ensures that only compliant resources are deployed, and AWS Config manages the detection of policy deviations. CloudWatch Events is then used to send notifications on deviations, addressing both preventive and detective controls effectively.
Although CloudFormation can enforce policies and Amazon Inspector can check for resource vulnerabilities, this option doesn’t adequately address preventive controls, such as blocking port 22 ingress. It is more focused on detecting vulnerabilities rather than enforcing comprehensive governance.
This option is focused on IAM, CloudTrail, and Elasticsearch for logging and monitoring. It doesn’t provide direct preventive controls (like blocking port 22 ingress or enforcing encryption), nor does it focus on enforcing the specific security policies required in the question. It is more of a logging and monitoring solution without full policy enforcement.
I classify that the answer is:
Use AWS Service Catalog to build a portfolio with products that are in compliance with the governance policies in a central account. Restrict users across all accounts to AWS Service Catalog products. Share a compliant portfolio to other accounts. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule to send a notification when a deviation occurs.