You can turn on the AWS Config service from the AWS CLI by running the subscribe command and passing as parameters a valid IAM role, SNS topic, and ____.
C
You can use the AWS CLI to turn on AWS Config. All it takes is the subscribe command and a few additional parameters. The parameters are -s3-bucket, which specifies the S3 bucket to which AWS Config data will be saved, -sns-topic, which specifies to which SNS topic messages from AWS Config will be sent, and - iam-role, which is an IAM role containing appropriate permissions for AWS Config to access the resources it monitors.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-subscribe.html
You would like to automate the monitoring of changes in the configurations of your AWS resources and respond programmatically to configurations of only a certain type. To do this, you could use Amazon ____ as the endpoint for the Amazon SNS topics that generate messages from AWS Config.
D
AWS Config uses Amazon Simple Notification Service (SNS) to send you notifications every time a supported AWS resource is created, updated, or otherwise modified as a result of user API activity. However, you might be interested in only certain resource configuration changes. For example, you might consider it critical to know when someone modifies the configuration of a security group, but not need to know every time there is a change to tags on your Amazon EC2 instances. Or, you might want to write a program that performs specific actions when specific resources are updated. For example, you might want to start a certain workflow when a security group configuration is changed. If you want to programmatically consume the data from AWS Config in these or other ways, use an Amazon Simple Queue Service queue as the notification endpoint for Amazon SNS.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/monitor-resource-changes.html
You can use the ____ command of the AWS Config service CLI to see the compliance state for each AWS resource of a specific type.
A
You can use the AWS Config console, AWS CLI, or AWS Config API to view the compliance state of your rules and resources. The describe-compliance-by- resource command of the AWS Config CLI to see the compliance state for each AWS resource of a specific type. This is distinct from the describe-compliance-by- config-rule command, which gives the compliance state of each rule in AWS Config .
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html
When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains another JSON string in its ____ parameter, which describes the event that triggered the rule.
C
The JSON object for an AWS Config event contains an invoking Event attribute, which describes the event that triggers the evaluation for a rule. If the event is published in response to a resource configuration change, the value for this attribute is a string that contains a JSON configuration Item or a configuration Item
Summary (for oversized configuration items). The configuration item represents the state of the resource at the moment that AWS Config detected the change. If the event is published for a periodic evaluation, the value is a string that contains a JSON object. The object includes information about the evaluation that was triggered. For each type of event, a function must parse the string with a JSON parser to be able to evaluate its contents.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_exa mple-events.html
When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains a(n) ____ attribute, which is a JSON- formatted set of key/value pairs the receiving AWS Lambda function processes as part of its evaluation logic.
A
The JSON object for an AWS Config event contains a ruleParameters attribute, which is a set of key/value pairs that the AWS Lambda function receiving the event processes as part of its evaluation logic. You define parameters when you use the AWS Config console to create a custom rule. You can also define parameters with the InputParameters attribute in the PutConfigRule AWS Config API request or the put-config-rule AWS CLI command. The JSON code for the parameters is contained within a string, so a function must parse the string with a JSON parser to be able to evaluate its contents
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_exa mple-events.html
When using AWS Config, which two items are stored on S3 as a part of its operation?
C
S3 is used to store the Configuration History files and any Configuration Snapshots of your data within a single bucket, which is defined within the Configuration
Recorder. You can get AWS Config to create a new bucket for you and select an existing bucket. If you have multiple AWS accounts you may want to aggregate your Configuration History and Snapshot files into the same S3 Bucket for your primary account, just be aware that this can be achieved. However, you will need to grant write access for the service principal (config.amazonaws.com) in your other accounts write access to the S3 bucket.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-items
You can use the ____ page of the AWS Config console to look up resources that AWS Config has discovered, including deleted resources and resources that are not currently being recorded.
C
You can use the AWS Config console, AWS CLI, and AWS Config API to look up the resources that AWS Config has taken an inventory of, or discovered, including deleted resources and resources that AWS Config is not currently recording. AWS Config discovers supported resource types only. You can use the
AWS Config console in the AWS Management console to look up these resources. The Resource Inventory page lets you perform this search.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/looking-up-discovered-resources.html
An AWS Config rule can be set to be evaluated if a certain set of resources undergoes a configuration change. The set of resources to which the rule applies can be restricted by the rule's ____, which can include a combination of a resource type and a resource ID, for example.
D
When you add an AWS Config rule to your account, you can specify when you want AWS Config to run the rule; this is called a trigger. AWS Config evaluates your resource configurations against the rule when the trigger occurs. You choose which resources trigger the evaluation by defining the rule's scope. The scope can include the following:
One or more resource types -
A combination of a resource type and a resource ID A combination of a tag key and value.
When any recorded resource is created, updated, or deleted AWS Config runs the evaluation when it detects a change to a resource that matches the rule's scope. You can use the scope to constrain which resources trigger evaluations. Otherwise, evaluations are triggered when any recorded resource changes.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html
Which other AWS service is used to track `Related Events' within the Configuration Item?
C
`Related Events' displays the AWS CloudTrail event ID that is related to the change that triggered the creation of the CI. There is a new CI made for every change made against a resource. As a result a different CloudTrail event IDs will be created. This allows you you to deep-dive into who or what and when made the change that triggered this CI. A great feature allowing for some great analysis to be taken, specifically when this affects security resources.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#config-item-table
Non-compliant resources identified through the use of AWS Config Rules are automatically removed from operational service.
D
Each time a change is made to one of your supported resources, AWS config will check its compliance against any Config Rules that you have in place. If there is a violation against these rules then AWS Config will send a message to the Configuration Stream via SNS and the resource will be marked as `noncompliant'.
It's important to note that this does not mean the resource will be taken out of service or it will stop working. It will continue to operate exactly as it is with its new configuration. AWS Config simply alerts you that there is a violation and it's up to you to take the appropriate action.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html
