You are working in the IT security team in a big company. In order to perform security checks in AWS services, you have written dozens of custom AWS Config rules. One of them is to check if the S3 bucket policy contains certain explicit denies. This particular Config rule is supposed to be applied for all S3 buckets. Your manager has asked you how to trigger the custom Config rule. Which answers are correct? (Select TWO.)

Answer options:

A.It can be triggered through a cron job such as every 5 minutes.
B.Custom Config rules can only be triggered manually through the AWS Config console or CLI command.
C.It can be triggered whenever there is a configuration change for an S3 bucket.
D.The custom Config rule can be triggered periodically such as every hour.
E.Users can configure in the AWS Config console to trigger the Config rule only when there is a new S3 bucket created.

Answer: C and D
Option A is incorrect because the rule cannot be triggered every 5 minutes. Refer to screenshot A for more details.
Option B is incorrect because the rule can be triggered automatically. Manual triggering is not the only way.
Option C is CORRECT because users can configure the trigger type as the Configuration Changes. Refer to screenshot B for more details.
Option D is CORRECT because this is an available option while creating a new trigger. Refer to screenshot A for more details.
Option E is incorrect because users cannot select to trigger the rule when there is a new S3 bucket created. Instead, users can select the trigger type to be Configuration Changes for S3 buckets.
Screenshot A
Screenshot B
There are two types of triggers: Configuration Changes and Periodic. There is no difference between the AWS managed Config rule and the custom Config rule in terms of triggers.
For more information on using atrigger for a Config rule, kindly refer to the URL below:
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html.