review
Cards (4)
- B. Create a conformance pack with delegated admin:
- Conformance packs are a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity across an organization in AWS Organizations. This meets the requirement of deploying the 10 rules to all accounts.
- The security-01 account is the delegated administrator for AWS Config. This account has the necessary permissions to deploy rules to other accounts within the organization.
- E. Create a CloudFormation template to activate AWS Config:
- AWS Config needs to be turned on in each account before it can be used. CloudFormation StackSets can be used to deploy the template to all existing and future accounts in the organization.
- The management-01 account has administrative privileges over the organization and can deploy templates to all accounts.
- Incorrect:X. Create a CloudFormation template with rules:
- While CloudFormation can deploy resources, it cannot directly manage AWS Config rules. A conformance pack is the preferred approach for deploying rules across an organization.
X. Deploy the conformance pack from management-01:- Although the management-01 account has administrative privileges, it is not the delegated administrator for AWS Config. Deploying the conformance pack from this account would not work.
- C. Use Amazon Athena:
- CloudTrail logs are stored in DOC-EXAMPLE-BUCKET2. Athena is a serverless query service that allows you to analyze data stored in S3 buckets. It is the most efficient and cost-effective way to query these logs.
- Athena provides the flexibility to filter and analyze the logs based on specific criteria, such as the IAM access key used and the object accessed. This allows you to identify whether the access key was used to access any object in DOC-EXAMPLE-BUCKET1 in the past 60 days.