As an AWS security specialist, you are working on applying AWS Config rules to all AWS accounts to ensure that AWS resources meet security requirements. One of the security checks is to inspect whether EC2 resources have appropriate Tags. If not, the rule will be non-compliant. There is an existing AWS Config rule called required-tags. However, it does not meet your needs. For example, you want the rule to check specific resources in certain availability zones. How should you implement the Config rule to perform custom checks?

Answer options:

A.Create an AWS Lambda function to perform the custom checks. Then configure a custom AWS Config rule to invoke the Lambda function.
B.Submit a support request to update AWS provided config rule required-tags.
C.In Systems Manager Automation, create an automation document that performs custom checks. Configure a custom AWS Config rule which invokes the document.
D.Configure a custom AWS Config rule to invoke a CloudWatch Event. Create a new CloudWatch Event rule with a Lambda function as the target. Use the AWS Lambda function to perform required custom checks.

Answer – A
Option A is CORRECT because users can develop custom rules using Lambda functions and then add them to AWS Config rules. Refer to the below snapshot for more information.
Option B is incorrect because users can edit their own Config rules.
Option C is incorrect because the custom AWS Config rule needs to execute a Lambda function rather than an Automation document in Systems Manager.
Option D is incorrect: Because the custom AWS Config rule can invoke a Lambda function directly. There is no need to involve the CloudWatch Event.
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html.