Which solution will meet these requirements with the LEAST operational overhead?
Use AWS Config to identify all untagged resources. Tag the identified resources programmatically. Use tags in the backup plan.
Use AWS Config to identify all resources that are not running. Add those resources to the backup vault.
Require all AWS account owners to review their resources to identify the resources that need to be backed up.
Use Amazon Inspector to identify all noncompliant resources.
Explanations:
Using AWS Config to identify untagged resources and then programmatically tagging them ensures that all resources are properly tagged for inclusion in the backup plan. This minimizes manual intervention and provides a systematic approach to ensuring all resources are backed up, leveraging AWS Backup’s tag-based selection.
AWS Config identifies resource configuration changes, not resources that are running or not running. Additionally, backing up “resources that are not running” could lead to unnecessary or incomplete backup coverage, as it does not address the requirement to back up all resources.
Relying on manual review by account owners introduces a high level of operational overhead and could lead to errors or omissions. This approach does not provide an automated or scalable solution for backing up all resources.
Amazon Inspector is designed for security assessments and vulnerability scanning, not for identifying noncompliant or backup-eligible resources. It is not relevant for automating or managing backup plans for all AWS resources.
If I had to guess, I’d say the answer is:
Use AWS Config to identify all untagged resources. Tag the identified resources programmatically. Use tags in the backup plan.