Logo
AWS Certified Solutions Architect - Professional / Question #748 of 529

Question #748

A company hosts its customer database on Amazon RDS and uses EC2 instances for application servers. The engineering team shares an AWS account, and occasionally, unauthorized changes to RDS parameter groups cause downtime. A solutions architect must implement a system to monitor configuration changes and trigger alerts when noncompliant modifications to RDS settings occur.

What is the FASTEST way to meet these requirements?

A

Set up AWS Organizations and apply Service Control Policies (SCPs) to govern and track noncompliant changes to RDS parameter groups.
B

Enable AWS CloudTrail to log RDS parameter group changes. Use Amazon CloudWatch alarms to trigger alerts for noncompliant modifications.
C

Enable SCPs on the AWS account to block and alert on noncompliant changes to RDS parameter groups.
D

Enable AWS Config to track RDS parameter group configurations and compliance. Integrate with Amazon Simple Notification Service (Amazon SNS) to send alerts for noncompliant changes.

Explanation

Answer D is correct because AWS Config is specifically designed to monitor resource configurations and assess compliance against predefined rules. When noncompliant changes to RDS parameter groups occur, AWS Config can trigger alerts via Amazon SNS, providing immediate visibility.

Option A (SCPs via AWS Organizations) is incorrect because SCPs enforce guardrails across accounts but do not monitor or alert on changes. Option B (CloudTrail/CloudWatch) logs API activity but lacks built-in compliance checks, requiring custom logic to detect noncompliant changes. Option C (SCPs) is incorrect because SCPs block actions rather than monitor or alert on them. AWS Config’s native compliance tracking and integration with SNS make it the fastest and most effective solution.

Answer

The correct answer is: D