You are the cloud DevOps engineer for a forensic research company that wants to implement web ACL logging to analyze AWS WAF rules compliance and track changes to stored secrets for rotation. Which statement describes the best approach to deal with this scenario?

Answer options:

A.Define a configuration change in an AWS::WAF::WebACL resource that triggers a custom AWS Config rule blueprint. Set the timeoutSeconds property shared by all operational playbook actions to specify the execution timeout value for the action. Further, you can change how an action timing out affects the Automation workflow and overall execution status. To track changes to secrets, it is possible to rely on the AWS Config managed rule secretsmanager-rotation-enabled-check which is NON_COMPLIANT if the secret is not scheduled for rotation.
B.Define a configuration change in an AWS::WAF::WebACL resource that triggers a custom AWS Config rule blueprint. Run an automation workflow through AWS::Config::RemediationConfiguration whose TargetType is a Systems Manager operational playbook that calls another AWS Lambda function that will attempt to enable logging on the web ACL automatically. Create another custom AWS Config rule to track changes to stored secrets which is NON_COMPLIANT if the secret is not scheduled for rotation.
C.Configure a custom AWS Config rule to invoke an AWS Lambda function in response to a configuration change in an AWS::WAF::WebACL resource. Run an automation workflow through AWS::Config::RemediationConfiguration whose TargetType is a Systems Manager operational playbook that calls another AWS Lambda function that will attempt to automatically enable logging on the web ACL. To track changes to secrets, it is possible to rely on the AWS Config managed rule secretsmanager-rotation-enabled-check which is NON_COMPLIANT if the secret is not scheduled for rotation.
D.Configure a custom AWS Config rule to invoke an AWS Lambda function in response to a configuration change in an AWS::WAF::WebACL resource. Set the timeoutSeconds property shared by all operational playbook actions to specify the execution timeout value for an action. Further, you can change how an action timing out affects the Automation workflow and overall execution status. Create another custom AWS Config rule to track changes to stored secrets which is NON_COMPLIANT if the secret is not scheduled for rotation.

Correct Answer: C
There are two main aspects in the question i.e., implement web ACL logging and track changes in secrets for rotation. To deal with this sort of scenario, you can create a custom AWS Config rule associated with an AWS Lambda function that reacts to configuration changes in an AWS Web ACL resource. In order to provide auto-remediation which is built-in functionality in AWS Config that, in response to a non-compliant scenario, it can invoke an automation function that is defined as a Systems Manager Automation document (operational playbook). There is an AWS Config managed rule whose value is set to NON_COMPLIANT when the secret is not scheduled for rotation to take care of secret change tracking.
Incorrect Answers:
Options A, B are incorrect because they do not make sense in explaining the custom AWS Config rule blueprint.
Options A, D are incorrect because they mention an irrelevant timeoutSeconds property.
References:
https://go.aws/2WGINPA
https://go.aws/3fAj0RS