Trusted Advisor question

[xiaochris]

In a particular answer explanation:

Qn:

You have a separate AWS account on which developers can freely spawn their own AWS resources and test their new builds. Given the lax restriction in this environment, you checked AWS Trusted Advisor and it shows that several instances use the default security group rule that opens inbound port 22 to all IP addresses. Even for a test environment, you still want to restrict the port 22 access from the Public IP of your on-premises data center only. With this, you want to be notified of any security check recommendations from Trusted Advisor and automatically solve the non-compliance based on the results.

What are the steps that you should take to set up the required solution? (Select THREE)

Explanation:

You can also write a scheduled Lambda function to check Trusted Advisor regularly. You can specify a fixed rate (for example, execute a Lambda function every hour or 15 minutes), or you can specify a Cron expression using CloudWatch Events. You can retrieve and refresh Trusted Advisor results programmatically. The AWS Support service enables you to write applications that interact with AWS Trusted Advisor.

Would like to know the difference between these 2 options.

Option 1 : Create a Lambda function and integrate CloudWatch Events and AWS Lambda to execute the function on a regular schedule to check AWS Trusted Advisor via API. Based on the results, publish a message to an SNS Topic to notify the subscribers. (Correct Answer)

Option 2 : Create a Lambda function that executes every hour to refresh AWS Trusted Advisor scan results via API. The automated notification on AWS trusted Advisor will notify you of any changes is incorrect because the notification is only sent on a weekly basis, which can be quite long if you are concerned about security issues. (Wrong Answer)

Since the above 2 options are using Lambda to trigger Trusted Advisor. Option 1 did not state how regular the schedule for the Lambda function to trigger which I think is quite ambiguous.

And based on the explanation of the answer, it states “You can retrieve and refresh Trusted Advisor results programmatically” But since if using the lambda function, it looks like i can refresh the results 1 hour instead of the default weekly basis?

=================================================================

And then in another question,

There are several teams sharing your single AWS account that hosts your production infrastructure. Your teams are primarily storing media and images on AWS S3 buckets; some are used for public internet use, while other buckets are used for internal applications only. Since the permissions on these public access buckets are listed on AWS Trusted Advisor, you want to take advantage of it to make sure that all public buckets only allow List operations for intended users. You want to be notified when any public S3 bucket have the wrong permissions and have it automatically changed if needed.

Which of the following should you implement to meet the requirements in this scenario? (Select THREE)

Option 1: Create a Lambda function that executes every hour to refresh AWS Trusted Advisor scan results via API. Subscribe to AWS Trusted advisor notification messages to receive the results. (Wrong)

Option 2: Utilize CloudWatch Events to monitor Trusted Advisor security recommendation results and then set a trigger to send an email using SNS to notify you about the results of the check. (Correct)

As above in first question, i got the same question question, why can’t i use Lambda to refresh to scan results, of which can send me the notification messages?

I’m trying to get a clearer picture of how Lambda triggers the Trusted Advisor.

From the explanation, it looks like i can manually trigger Trusted Advisor based on a how often I trigger the Lambda function, to get the scan results. And when the scan results is refreshed, the notification should automatically be triggered. no? If not, do point me in the right direction..

• This discussion was modified 3 years, 10 months ago by  xiaochris.

[TutorialsDojo-Support]

Hi xiaochris,

Thanks for the feedback.

We’ll answer both of your questions here.

And based on the explanation of the answer, it states “You can retrieve and refresh Trusted Advisor results programmatically” But since if using the lambda function, it looks like I can refresh the results 1 hour instead of the default weekly basis?

Option 2: Create a Lambda function that executes every hour to refresh AWS Trusted Advisor scan results via API. The automated notification on AWS trusted Advisor will notify you of any changes.

– This option only refreshes Trusted Advisor every hour. It does not parse the results unlike the other Lambda function on option 1. Also, even if you refresh Trusted Advisor every hour, the automated notification from Trusted Advisor is still sent on a weekly basis. Not every hour.

From the explanation, it looks like I can manually trigger Trusted Advisor based on how often I trigger the Lambda function, to get the scan results. And when the scan results are refreshed, the notification should automatically be triggered. no? If not, do point me in the right direction..

Option 1: Create a Lambda function that executes every hour to refresh AWS Trusted Advisor scan results via API. Subscribe to AWS Trusted advisor notification messages to receive the results. (Wrong)

– Yes, you can create a Lambda function to trigger a refresh on Trusted Advisor, and then scan the refreshed result, and have Lambda send a notification to you.

– Option 1 says you subscribe to AWS Trusted Advisor, which is incorrect. If you subscribe to Trusted Advisor notification messages, you will only get notifications weekly. If you need notification on a frequent basis, you need to write your own Lambda function and notification setting for that.

Hope this helps.

Regards,

Kenneth Samonte @ Tutorials Dojo