Which strategy should be used to meet these requirements?
Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use CloudFormation drift detection to detect when resources have drifted from their expected state.
Allow users to deploy CloudFormation stacks using a CloudFormation service role only. Use AWS Config rules to detect when resources have drifted from their expected state.
Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.
Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a template constraint. Use Amazon EventBridge notifications to detect when resources have drifted from their expected state.
Explanations:
While using CloudFormation drift detection is a good approach for monitoring resource drift, it does not fully enforce the use of pre-approved templates. Allowing users to deploy stacks directly via CloudFormation without leveraging AWS Service Catalog does not provide the necessary governance over resource provisioning.
Similar to option A, this option uses AWS Config rules for drift detection, which is a valid method for monitoring compliance. However, it still allows users to deploy stacks directly through CloudFormation, which does not ensure that only pre-approved templates are utilized, thereby not fully satisfying the requirement for enforced template use.
This option correctly mandates that users deploy CloudFormation stacks through AWS Service Catalog, which can enforce the use of pre-approved templates. By utilizing AWS Config rules, it also effectively monitors and detects resource drift, fulfilling both the requirements of template enforcement and automated monitoring of resource states.
Although this option enforces the use of AWS Service Catalog, the reliance on a template constraint does not adequately ensure that pre-approved templates are used. Additionally, using Amazon EventBridge for notifications does not provide the same level of automated compliance monitoring as AWS Config rules. Therefore, this option does not fully meet the requirements.
From what I’ve seen, the answer is:
Allow users to deploy CloudFormation stacks using AWS Service Catalog only. Enforce the use of a launch constraint. Use AWS Config rules to detect when resources have drifted from their expected state.