A company has strict security policies. For its AWS services, special attention is required to ensure that there is no security vulnerability. You are asked to set up a rule in AWS Config to inspect if the AWS resources are always as expected. The rule is very complicated, and there is no existing AWS managed rule that can meet the company’s needs. Which actions in combinations can achieve this requirement? (Select TWO.)

Answer options:

A.Create a t2.micro EC2 instance to implement the custom policies to check if AWS resources are not exposed to security issues. The instance also listens to an SQS queue and starts processing whenever there is a new message in the queue.
B.Create an AWS Lambda function that contains the logic of the custom rule to evaluate whether the AWS resources are compliant.
C.Create an SNS topic and subscribe to the topic with an email notification to the team member, if there is a security issue in AWS resources.
D.In AWS Config, add a custom rule that runs every hour and sends a message to an SQS queue.
E.In AWS Config, add a custom rule and specify the ARN of an AWS Lambda function that checks AWS resources.

Correct Answer – B, E
In AWS config, there are AWS managed rules or custom rules. For the introduction of custom rules, please check the documentation in
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html.
Option A is incorrect: Because the EC2 instance is not as flexible as the Lambda function. More importantly, the AWS Config custom rule only supports Lambda function as its target.
Option B is CORRECT: A Lambda Function can be created with the blueprint of config-rule-change-triggered.
Option C is incorrect: Because configuring an SNS topic is not a necessary step.
Option D is incorrect: Because the custom rule in AWS Config should directly call the Lambda ARN and trigger the function.
Option E is CORRECT: When a custom rule is created, Lambda ARN can be configured as below: