ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your e-commerce workload runs on multiple Amazon EC2 instances behind an Application Load Balancer. The security team must add a detective control that continuously records any configuration change to the instances or their security groups, compares each change against approved baselines, and sends an immediate alert when non-compliance is detected. Which AWS solution best satisfies these requirements?
Use IAM Access Analyzer to continuously scan security group updates and publish findings to Amazon CloudWatch Events.
Enable AWS Config recording for all resources, add compliance rules for EC2 instances and security groups, and send rule violation notifications through Amazon SNS.
Activate AWS Shield Advanced with proactive event monitoring to generate alerts whenever the environment configuration changes.
Attach an AWS WAF web ACL to the Application Load Balancer and use its logging feature to detect unauthorized resource modifications.
AWS Config is a managed service designed for detective controls. When configuration recording is enabled, it captures every change to supported resources such as EC2 instances and security groups. You can create AWS Config managed or custom rules that define the approved baseline. When a resource drifts from that baseline, the rule becomes non-compliant and automatically delivers an event to Amazon SNS or EventBridge, providing near-real-time alerts.
AWS Shield Advanced focuses on DDoS mitigation (a preventative control) and does not track resource configurations. AWS WAF logs HTTP requests but cannot evaluate infrastructure configuration drift. IAM Access Analyzer detects resource policies that allow unintended external access, not all configuration changes to EC2 or security groups, and therefore does not meet the stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Config and how does it function as a detective control?
Open an interactive chat with Bash
How does Amazon SNS deliver rule violation notifications?
Open an interactive chat with Bash
How do AWS Config managed rules differ from custom rules?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .