Which solution will meet these requirements?

By:
In: DOP-C02
Tagged:
With: 1 Comment
A company has an AWS CloudFormation stack that is deployed in a single AWS account.The company has configured the stack to send event notifications to an Amazon Simple Notification Service (Amazon SNS) topic.A DevOps engineer must implement an automated solution that applies a tag to the specific CloudFormation stack instance only after a successful stack update occurs.The DevOps engineer has created an AWS Lambda function that applies and updates this tag for the specific stack instance.

Which solution will meet these requirements?

Run the AWS-UpdateCloudFormationStack AWS Systems ManagerAutomation runbook when Systems Manager detects an UPDATE_COMPLETE event for the instance status of the CloudFormation stack. Configure the runbook to invoke the Lambda function.

Create a custom AWS Config rule that produces a compliance change event if the CloudFormation stack has an UPDATE_COMPLETE instance status. Configure AWS Config to directly invoke the Lambda function to automatically remediate the change event.

Create an Amazon EventBridge rule that matches the UPDATE_COMPLETE event pattern for the instance status of the CloudFormation stack. Configure the rule to invoke the Lambda function.

Adjust the configuration of the CloudFormation stack to send notifications for only an UPDATE_COMPLETE instance status event to the SNS topic. Subscribe the Lambda function to the SNS topic.

Explanations:

While using the AWS-UpdateCloudFormationStack runbook could theoretically work, it is not directly linked to the stack update events and requires manual initiation or a separate trigger, which does not automate the tagging after a stack update.

AWS Config rules are meant for compliance monitoring and remediation. While they can respond to changes, they do not provide a direct mechanism to invoke a Lambda function based solely on the UPDATE_COMPLETE event of a CloudFormation stack without additional configurations, making this option less straightforward.

Amazon EventBridge can natively respond to CloudFormation stack events, including UPDATE_COMPLETE. By creating an EventBridge rule that matches this specific event and directly invokes the Lambda function, this option effectively automates the tagging process as required after a successful stack update.

Although adjusting the SNS configuration to send notifications for only UPDATE_COMPLETE events could work, it introduces an additional component (SNS) that is not necessary. Moreover, simply subscribing the Lambda function to the SNS topic may not ensure that the tagging happens specifically after an update, as there could be other notifications that do not require tagging.

2025-10-14

1 Comment

  1. Henry
    Author

    I categorize that the answer is:
    Create an Amazon EventBridge rule that matches the UPDATE_COMPLETE event pattern for the instance status of the CloudFormation stack. Configure the rule to invoke the Lambda function.

Leave a Reply to Henry Cancel reply

Your email address will not be published. Required fields are marked *

20 − fourteen =