Correct Answer - A.
AWS Config can be used to keep track of configuration changes on AWS resources, keeping multiple date-stamped versions in a reviewable history.
This makes it the best method to meet the scenario requirements.
https://aws.amazon.com/config/
Option B is incorrect because VPC flow logs will only capture IP traffic-related information passing through and from network interfaces within the VPC.
VPC flow logs will not be able to capture configuration changes made to route tables.
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Option C is incorrect because AWS CloudTrail will capture identity access activity, event history into the AWS environment.
Recording the actions and API calls are not best suited to keep a record of configurations.
https://aws.amazon.com/cloudtrail/
Option D is incorrect because using a Lambda function to write configuration changes might meet the requirements, but it would not be the best method.
AWS Config can deliver what is needed with much less administrative input.
The best method to achieve this is to use AWS CloudTrail.
AWS CloudTrail is a service that records all API calls and events made in an AWS account. It enables governance, compliance, operational auditing, and risk auditing of the AWS account. CloudTrail can help identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
By enabling AWS CloudTrail in the AWS account, administrators can log all API calls made to the VPC and its associated resources, including route tables. CloudTrail records the event details such as who made the change, what action was taken, when the change was made, and the IP address of the user making the change.
Using AWS CloudTrail, administrators can create trails that are specific to a VPC or a set of resources within a VPC, and they can specify that only authorized users can make changes to those resources. The recorded events can be stored in Amazon S3 or delivered to Amazon CloudWatch Logs for further analysis.
Using AWS Config, an alternative option listed in the exam question, can also record and track changes made to resources in AWS, including VPCs and route tables. However, AWS Config focuses on resource configuration changes over time, not on auditing user activity. AWS Config is designed to continuously monitor and record the configuration changes to resources, not just the initial configuration and authorized changes made by engineers to a specific resource.
VPC Flow Logs can capture information about the IP traffic going to and from network interfaces in a VPC, including the route table traffic, but they are not designed to track user activity or changes made to the route table configuration.
Using an AWS Lambda function that is triggered to save a log file to an S3 bucket each time configuration changes are made is a custom solution that can achieve the goal, but it requires more effort and maintenance than using AWS CloudTrail, which is a fully managed service. Additionally, the Lambda function may not capture all relevant information, such as the IP address of the user making the change, without additional configuration.
