AWS DevOps Engineer Professional Practice Test

To monitor compliance status of AWS Config rules for a selected group of resources, what is the recommended approach?

• A. Use AWS Lambda to evaluate compliance
• B. Implement CloudWatch Logs
• C. Configure CloudWatch Events to send notifications to an SNS topic
• D. Disable native SNS integration

The correct answer is: Configure CloudWatch Events to send notifications to an SNS topic

Using CloudWatch Events to send notifications to an SNS (Simple Notification Service) topic is the most effective approach for monitoring compliance status of AWS Config rules for selected resources. AWS Config continuously monitors and records AWS resource configurations, and it can evaluate those configurations against defined rules. When resources are evaluated, AWS Config generates compliance snapshots. By configuring CloudWatch Events to respond to changes in compliance status generated by AWS Config, you can automatically trigger notifications via SNS. This setup ensures that you are promptly informed when compliance changes occur, which allows for timely response and remediation if a resource falls out of compliance. This strategy provides real-time monitoring capabilities and scalability, helping teams to stay informed about the state of their resources without manual intervention or separate evaluation processes. In contrast, using AWS Lambda to evaluate compliance introduces unnecessary complexity, as AWS Config and CloudWatch Events already handle compliance monitoring effectively. While CloudWatch Logs can capture and store logs, they do not inherently manage notification or trigger compliance evaluations. Disabling SNS integration runs counter to the objective of utilizing notifications for alerting compliance status changes.