Home › Forums › AWS › AWS Certified DevOps Engineer Professional › Incorrect answer on practice exam
-
Incorrect answer on practice exam
-
Hello, there is a question that asks:
A multinational investment bank is implementing regulatory compliance checks over their AWS accounts. All API calls made on each of their AWS resources across their accounts must be monitored and tracked for auditing purposes. AWS CloudTrail will be used to monitor all API activities and detect sensitive security issues in the company’s AWS accounts. The DevOps Team was assigned to come up with a solution to remediate CloudTrail from being disabled on some AWS accounts automatically.
As a DevOps Engineer, what solution should you apply that provides the LEAST amount of downtime for the CloudTrail log deliveries?
The provided answer in the exam is:
Use the
cloudtrail-enabled
AWS Config managed rule with a periodic interval of 1 hour to evaluate whether your AWS account enabled the AWS CloudTrail. Set up a CloudWatch Events rule for AWS Config rules compliance change. Launch a Lambda function that uses the AWS SDK and add the Amazon Resource Name (ARN) of the Lambda function as the target in the CloudWatch Events rule. Once aStopLogging
event is detected, the Lambda function will re-enable the logging for that trail by calling theStartLogging
API on the resource ARN.However, this is incorrect. The answer is actually:
Use the
cloudtrail-enabled
AWS Config managed rule to evaluate whether the AWS account enabled AWS CloudTrail with a trigger type ofConfiguration changes
. By default, this managed rule will automatically remediate the accounts that disabled its CloudTrail.Please see for reference:
“To ensure that CloudTrail remains enabled in your account, AWS Config provides the
cloudtrail-enabled
managed rule. If CloudTrail is turned off, thecloudtrail-enabled
rule automatically re-enables it by using automatic remediation.”
Log in to reply.