Question #1045
A company must maintain a historical record of its AWS resource configurations to meet compliance requirements and audit for unauthorized modifications. Which service should be implemented to continuously monitor and log configuration changes across all Amazon S3 buckets?
Enable AWS Config with compliance rules to track and record configuration changes.
Enable AWS CloudTrail to log all API calls related to S3 bucket configurations.
Enable Amazon CloudWatch alarms to detect unauthorized configuration changes.
Enable AWS Security Hub to aggregate findings from multiple security services.
Explanation
AWS Config (Option A) is the correct answer because it provides continuous monitoring and logging of AWS resource configurations, including Amazon S3 buckets. It records configuration changes and allows you to define compliance rules to audit for unauthorized modifications. This aligns with the requirement to maintain a historical record for compliance.
Option B (AWS CloudTrail) logs API activity but focuses on tracking user activity rather than resource configurations. Option C (Amazon CloudWatch) monitors metrics and triggers alarms but does not track configuration history. Option D (AWS Security Hub) aggregates security findings but does not specifically log configuration changes. AWS Config is uniquely suited for tracking resource configurations and compliance over time, making it the best choice.
Answer
The correct answer is: A