An AWS security specialist has set up and activated several AWS Config managed rules. The rules are used to evaluate whether the AWS resources comply with company security policies.
For example, Amazon EBS volumes should be encrypted with Customer Managed Keys (CMKs). If one Config rule becomes non-compliant, the team should get near-real-time notifications.
Which option is the easiest one and a cost-effective solution to set up the notifications?

Answer options:

A.Configure AWS Config rules using Lambda functions. Whenever config rules become non-compliant, the Lambda functions send notifications to an SNS topic.
B.Integrate AWS Config rules with an Amazon Kinesis stream to perform real-time analysis and notifications.
C.Create an AWS CloudWatch Event rule to check the event type of "Config Rules Compliance Change". Add an SNS topic as the target to provide notifications.
D.Configure each AWS Config rule with a CloudWatch alarm. Trigger the alarm if the rule becomes non-compliant.

Answer: C
Option A is incorrect because creating, maintaining, and managing several config rules and integrating with lambda would not be an efficient solution for all the options.
Option B is incorrect because CloudWatch Events can deliver a near real-time stream of system events that describe changes in AWS resources, including AWS Config rules, and using Kinesis would not be the most efficient and cost-effective solution to provide the notification.
Option C is CORRECT because users can configure a CloudWatch Event rule to check the AWS Config compliance change events and integrate with SNS to provide the notifications.
Option D is incorrect because AWS Config rules do not integrate with CloudWatch alarms to notify configuration changes.
Reference:
https://docs.aws.amazon.com/config/latest/developerguide/monitor-config-with-cloudwatchevents.html