In regards to this sample question How to monitor all s3 buckets in your account have encryption enabled and to auto remediate any that are not. This is listed as not correct
"CloudWatch Events rule that triggers an SNS notification when the Lambda Function detects an S3 bucket which is not using server side encryption". Is this not correct because lambda can not detect?
But this is correct:
"Create a Lamda function which uses the IAM role to review the S3 bucket settings, correct them and notify your team of out-of-compliance buckets’. Is this correct because lambda is used to review vs detect?
Appreciate any invite
1 Answers
Yes, you would use a Cloudwatch Event rule to get triggered by Config is there’s a change in the config/compliance (refer to https://docs.aws.amazon.com/config/latest/developerguide/monitor-config-with-cloudwatchevents.html) , then Cloudwatch can trigger Lambda to review what Config found out, and take action.