Which solution will meet these requirements with the MOST operational efficiency?
Use AWS Control Tower to activate the optional detective control (guardrail) to determine whether the RDS storage is encrypted. Create an Amazon Simple Notification Service (Amazon SNS) topic in the company’s audit account. Create an Amazon EventBridge rule to filter noncompliant events from the AWS Control Tower control (guardrail) to notify the SNS topic. Subscribe the security engineer’s email address to the SNS topic.
Use AWS CloudFormation StackSets to deploy AWS Lambda functions to every account. Write the Lambda function code to determine whether the RDS storage is encrypted in the account the function is deployed to. Send the findings as an Amazon CloudWatch metric to the management account. Create an Amazon Simple Notification Service (Amazon SNS) topic. Create a CloudWatch alarm that notifies the SNS topic when metric thresholds are met. Subscribe the security engineer’s email address to the SNS topic.
Create a custom AWS Config rule in every account to determine whether the RDS storage is encrypted. Create an Amazon Simple Notification Service (Amazon SNS) topic in the audit account. Create an Amazon EventBidge rule to filter noncompliant events from the AWS Control Tower control (guardrail) to notify the SNS topic. Subscribe the security engineer’s email address to the SNS topic.
Launch an Amazon C2 instance. Run an hourly cron job by using the AWS CLI to determine whether the RDS storage is encrypted in each AWS account. Store the results in an RDS database. Notify the security engineer by sending email messages from the EC2 instance when noncompliance is detected
Explanations:
This option utilizes AWS Control Tower’s built-in detective controls (guardrails) to monitor RDS encryption compliance efficiently. By integrating Amazon SNS for notifications and Amazon EventBridge to filter noncompliance events, it minimizes manual effort and operational overhead while ensuring timely alerts for the security engineer.
This option involves deploying AWS Lambda functions across multiple accounts using CloudFormation StackSets, which adds complexity and operational overhead. Additionally, it requires custom coding and management of CloudWatch metrics and alarms, making it less efficient compared to the options leveraging built-in AWS services like Control Tower.
Although creating a custom AWS Config rule could check for RDS encryption, it requires management across multiple accounts. Additionally, it does not utilize the built-in capabilities of AWS Control Tower for compliance monitoring and notifications, which leads to higher operational overhead compared to using Control Tower directly.
This option is the least efficient, as it requires provisioning and managing an EC2 instance to run a cron job, which involves ongoing maintenance, cost, and operational complexity. This manual approach is not scalable and does not leverage the automation and integration capabilities of AWS services.