Which solution will meet this requirement in the MOST operationally efficient manner?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company is operating an AWS workload that consists of multiple applications that are deployed on Amazon EC2 instances.Recent changes to a security group caused connectivity issues for some application instances that use the security group.The company now needs all changes to security groups to initiate an alert to a specific company email address.

Which solution will meet this requirement in the MOST operationally efficient manner?

Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Notification Service (Amazon SNS) topic.

Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Queue Service (Amazon SQS) queue.

Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.

Implement AWS CloudTrail. Configure forwarding to Amazon S3. Configure an AWS Glue crawler for use with Amazon Athena to query log contents for event patterns that indicate changes to security groups. Publish the query results to an Amazon Simple Queue Service (Amazon SQS) queue.

Explanations:

AWS Config can detect changes to security groups, but manual remediation actions with SNS for alerts are less efficient than using CloudTrail and CloudWatch.

AWS Config detects changes, but sending alerts through an SQS queue requires additional complexity, making it less operationally efficient.

CloudTrail can capture security group changes and forward them to CloudWatch Logs, which can trigger SNS alerts through CloudWatch alarms, making this the most operationally efficient solution.

While CloudTrail forwards logs to S3, using Athena and SQS adds unnecessary complexity compared to CloudWatch and SNS for real-time alerting.

2026-03-22

2 Comments

  1. Kathryn
    Author

    I would say the answer is:
    Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.

  2. Adam
    Author

    From what I’ve heard, the answer is:
    Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.

Leave a Reply to Kathryn Cancel reply

Your email address will not be published. Required fields are marked *

thirteen + thirteen =