The reason is that this solution will meet the requirements of collecting, reviewing, and managing the evidence from both on-premises and AWS resources to demonstrate compliance with company policy. According to the web search results12, “AWS Audit Manager helps you continuously audit your AWS usage to simplify how you manage risk and compliance with regulations and industry standards. AWS Audit Manager makes it easier to evaluate whether your policies, procedures, and activities—also known as controls—are operating as intended.” The results1 also state that “In addition to the evidence that Audit Manager collects from your AWS environment, you can also upload and centrally manage evidence from your on-premises or multicloud environment.” Therefore, by creating an assessment in AWS Audit Manager, the security engineer can use a prebuilt or custom framework that contains the relevant controls for the company policy, upload manual evidence from the on-premises workloads, and add the evidence to the assessment. After Audit Manager collects the necessary evidence from the AWS resources, the security engineer can generate an assessment report that includes all the evidence from both sources.
The other options are incorrect because:
B. Install the Amazon CloudWatch agent on the on-premises workloads. Use AWS Config to deploy a conformance pack from a sample conformance pack template or a custom YAML template. Generate an assessment report after AWS Config identifies noncompliant workloads and resources. This option is not sufficient to meet the requirements, because it does not collect or manage the evidence from both sources. It only monitors and evaluates the configuration compliance of theworkloads and resources using AWS Config rules. According to the web search results3, “A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.” However, a conformance pack does not provide a way to upload or include manual evidence from the on-premises workloads, nor does it generate an assessment report that contains all the evidence.
C. Set up the appropriate security standard in AWS Security Hub. Upload manual evidence from the on-premises workloads. Wait for Security Hub to collect the evidence from the AWS resources. Download the list of controls as a .csv file. This option is not optimal to meet the requirements, because it does not provide a comprehensive or audit-ready report that contains all the evidence. It only provides a list of controls and their compliance status in a .csv file format. According to the web search results4, “Security Hub provides you with a comprehensive view of your security state within AWS and helps you check your environment against security industry standards and best practices.” However, Security Hub does not provide a way to upload or include manual evidence from the on-premises workloads, nor does it generate an assessment report that contains all the evidence.
D. Install the Amazon CloudWatch agent on the on-premises workloads. Create a CloudWatch dashboard to monitor the on-premises workloads and the AWS resources. Run a query on the workloads and resources. Download the results. This option is not sufficient to meet the requirements, because it does not collect or manage the evidence from both sources. It only monitors and analyzes the metrics and logs of the workloads and resources using CloudWatch. According to the web search results, “Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers.” However, CloudWatch does not provide a way to upload or include manual evidence from the on-premises workloads, nor does it generate an assessment report that contains all the evidence.
Submit