Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional AWS Config SNS Notification

  • AWS Config SNS Notification

  • Mao

    Member
    April 17, 2020 at 10:41 pm

    In this following question:

    Category: DOP – Policies and Standards Automation
    A cloud-based payments company is heavily using Amazon EC2 instances to host their applications in AWS Cloud. They would like to improve the security of their cloud resources by ensuring that all of their EC2 instances were launched from pre-approved AMIs only. The list of AMIs is set and managed by their IT Security team. Their Software Development team has an automated CI/CD process that launches several EC2 instances with new and untested AMIs for testing. The development process must not be affected by the new solution, which will be implemented by their Lead DevOps Engineer.Which of the following can the Engineer implement to satisfy the requirement with the LEAST impact on the development process? (Select TWO)

    in one of the answers you marked as correct:

    Use AWS Config to determine any launches of Amazon EC2 instances based on non-approved AMIs. Configure the rule to trigger a Lambda function that will automatically terminate the EC2 instance. Publish a message to an Amazon SNS topic to inform the IT Security and Development teams about the occurrence.

    The you explain:

    you can use the approved-amis-by-id AWS manage rule which checks whether running instances are using specified AMIs. You can also use a Lambda function which is scheduled to run regularly to scan all of the running EC2 instances in your VPC and check if there is an instance that was launched using an unauthorized AMI

    When you say “Lambda function which is scheduled to run regularly”, are you talking about CloudWatch Events?

    I understand that you can not send an SNS notification for an specific rule, just for ALL configuration changes, so where you “publish a message to an Amazon SNS Topic”, from the Lambda function?

  • Jon-Bonso

    Administrator
    April 19, 2020 at 12:28 am

    Hi Mao,

    In this scenario, there are two answers: the one you shared above and this one:

    Integrate AWS Lambda and CloudWatch Events to schedule a daily process that will search through the list of running Amazon EC2 instances within your VPC. Configure the function to determine if any of these are based on unauthorized AMIs. Publish a new message to an Amazon SNS topic to inform the Security and Development teams that the issue occurred and then automatically terminate the EC2 instance.

    The phrase “scheduled Lambda function” in the explanation is referring to Lambda and CloudWatch Events. I am actually trying to make our explanations more concise but I guess, I can further improve this and mention the whole thing to avoid any confusion like this.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

  • Mao

    Member
    April 19, 2020 at 12:47 am

    Hi Jon, got it, but one of the correct answers mentions:

    Use AWS Config to determine any launches of Amazon EC2 instances based on non-approved AMIs. Configure the rule to trigger a Lambda function that will automatically terminate the EC2 instance. Publish a message to an Amazon SNS topic to inform the IT Security and Development teams about the occurrence.

    I think this is wrong, you can not configure the rule to trigger a Lambda function, as you say you have to use CW Events with Lambda function as a target, and maybe another target with SNS

    Another option would be Remediation action with SSM document

  • Mao

    Member
    April 19, 2020 at 5:57 pm

    Thanks for your answer and help me to understand

    Best

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now