PAS-C01 · Question #5
A company is running its SAP workload on AWS. The company's security team has implemented the following requirements: - All Amazon EC2 instances for SAP must be SAP certified instance types. - Encrypt
The correct answer is D. Use AWS Config managed rules to monitor for compliance with the requirements, except for the. AWS Config provides managed rules for many of the listed requirements: checking EC2 instance types (approved-amis-by-tag or custom rule), verifying S3 and EBS encryption, confirming CloudTrail is active, and verifying detailed monitoring. However, AWS Config has no managed rule f
Question
A company is running its SAP workload on AWS. The company's security team has implemented the following requirements:
- All Amazon EC2 instances for SAP must be SAP certified instance
types.
- Encryption must be enabled for all Amazon S3 buckets and Amazon
Elastic Block Store (Amazon EBS) volumes.
- AWS CloudTrail must be activated.
- SAP system parameters must be compliant with business rules.
- Detailed monitoring must be enabled for all instances.
The company wants to develop an automated process to review the systems for compliance with the security team's requirements. The process also must provide notification about any deviation from these standards. Which solution will meet these requirements?
Options
- AUse AWS AppConfig to model configuration data in an AWS Systems Manager Automation
- BUse AWS Config managed rules to monitor for compliance with all the requirements. Use Amazon
- CUse AWS Trusted Advisor to monitor for compliance with all the requirements. Use Trusted
- DUse AWS Config managed rules to monitor for compliance with the requirements, except for the
How the community answered
(57 responses)- A4% (2)
- B19% (11)
- C9% (5)
- D68% (39)
Explanation
AWS Config provides managed rules for many of the listed requirements: checking EC2 instance types (approved-amis-by-tag or custom rule), verifying S3 and EBS encryption, confirming CloudTrail is active, and verifying detailed monitoring. However, AWS Config has no managed rule for validating SAP-specific application parameters (business rules embedded in SAP configuration), because these are application-layer settings, not AWS resource attributes. Answer D correctly identifies that a mix of AWS Config managed rules (for the AWS-resource-level checks) plus a custom Config rule or AWS Systems Manager approach (for SAP parameter compliance) is needed. Answer B is incorrect because it claims Config managed rules cover all requirements, including SAP system parameters, which they cannot. Answer A is incorrect because AWS AppConfig is a feature deployment service, not a compliance monitoring tool. Answer C is incorrect because AWS Trusted Advisor does not have visibility into SAP-specific parameters and does not provide granular compliance notifications for all the listed requirements.
Topics
Community Discussion
No community discussion yet for this question.