Home › Forums › AWS › AWS Certified DevOps Engineer Professional › AWS Config SNS Notification
-
AWS Config SNS Notification
-
In this following question:
Category: DOP – Policies and Standards Automation
A cloud-based payments company is heavily using Amazon EC2 instances to host their applications in AWS Cloud. They would like to improve the security of their cloud resources by ensuring that all of their EC2 instances were launched from pre-approved AMIs only. The list of AMIs is set and managed by their IT Security team. Their Software Development team has an automated CI/CD process that launches several EC2 instances with new and untested AMIs for testing. The development process must not be affected by the new solution, which will be implemented by their Lead DevOps Engineer.Which of the following can the Engineer implement to satisfy the requirement with the LEAST impact on the development process? (Select TWO)in one of the answers you marked as correct:
Use AWS Config to determine any launches of Amazon EC2 instances based on non-approved AMIs. Configure the rule to trigger a Lambda function that will automatically terminate the EC2 instance. Publish a message to an Amazon SNS topic to inform the IT Security and Development teams about the occurrence.
The you explain:
you can use the approved-amis-by-id AWS manage rule which checks whether running instances are using specified AMIs. You can also use a Lambda function which is scheduled to run regularly to scan all of the running EC2 instances in your VPC and check if there is an instance that was launched using an unauthorized AMI
When you say “Lambda function which is scheduled to run regularly”, are you talking about CloudWatch Events?
I understand that you can not send an SNS notification for an specific rule, just for ALL configuration changes, so where you “publish a message to an Amazon SNS Topic”, from the Lambda function?
-
Hi Mao,
In this scenario, there are two answers: the one you shared above and this one:
Integrate AWS Lambda and CloudWatch Events to schedule a daily process that will search through the list of running Amazon EC2 instances within your VPC. Configure the function to determine if any of these are based on unauthorized AMIs. Publish a new message to an Amazon SNS topic to inform the Security and Development teams that the issue occurred and then automatically terminate the EC2 instance.
The phrase “scheduled Lambda function” in the explanation is referring to Lambda and CloudWatch Events. I am actually trying to make our explanations more concise but I guess, I can further improve this and mention the whole thing to avoid any confusion like this.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
-
Hi Jon, got it, but one of the correct answers mentions:
Use AWS Config to determine any launches of Amazon EC2 instances based on non-approved AMIs. Configure the rule to trigger a Lambda function that will automatically terminate the EC2 instance. Publish a message to an Amazon SNS topic to inform the IT Security and Development teams about the occurrence.
I think this is wrong, you can not configure the rule to trigger a Lambda function, as you say you have to use CW Events with Lambda function as a target, and maybe another target with SNS
Another option would be Remediation action with SSM document
-
Hi Mao,
Thank you for your reply. It is true that you cannot directly trigger a Lambda function from AWS Config. The AWS Lambda function in AWS Config is primarily used to evaluate whether your AWS resources comply with the rule or not. The remediation action is done via the AWS Systems Manager Automation. However, take note that you can call a Lambda from your Systems Manager workflow to terminate the EC2 instance:
I understand that the Systems Manager Automation document has an AWS-StopEC2Instance action that you can use to terminate the EC2 instances:
https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-aws-stopec2instance.html
Same goes with Lambda:
https://aws.amazon.com/premiumsupport/knowledge-center/start-stop-lambda-cloudwatch/
I acknowledge that we can add more information on this option to avoid any misunderstanding like this in the future. I’ll revise the option to also mention Systems Manager Automation as part of the answer.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
-
Log in to reply.