AWS DevOps Engineer Professional Practice Test

What is the recommended method for auditing CloudFormation usage in an AWS Account?

• A. Enable AWS Config and create a dashboard
• B. Use tags for resource tracking
• C. Enable CloudTrail logging and specify an S3 bucket
• D. Review IAM policies regularly

The correct answer is: Enable CloudTrail logging and specify an S3 bucket

The recommended method for auditing CloudFormation usage in an AWS account is to enable CloudTrail logging and specify an S3 bucket. CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. When CloudTrail is activated, it records API calls made on your account, including those from AWS CloudFormation. Each event logged includes key details, such as the identity of the API caller, the time of the call, the source IP address, and the request parameters. By specifying an S3 bucket for storing CloudTrail logs, you create a reliable and secure means of accessing and analyzing those logs for auditing purposes. Using CloudTrail provides a comprehensive audit trail of all management events, which include changes to the CloudFormation stacks, updates, creation and deletion events, and other crucial activities. This allows teams to track changes over time, investigate potential issues, and maintain compliance with internal or external policies. While enabling AWS Config and creating a dashboard can help you track resource configurations and compliance, it does not specifically capture CloudFormation stack events as thoroughly as CloudTrail does. Utilizing tags for resource tracking can provide organizational benefits, but it does not serve the primary function of auditing API usage. Regular reviews of IAM policies contribute to security but