AWS DevOps Engineer Professional DOP-C01 – Question225

A company uses federated access for its AWS environment. The available roles are created and managed using AWS CloudFormation from CI/CD pipeline. All changes should be made to the IAM roles through the pipeline. The security team found that changes are being made to the roles out-of-band and would like to detect when this occurs.
Which action will accomplish this?

A.
Use Amazon Inspector rules to detect and notify when a CloudFormation stack has a configuration change.
B. Use an AWS Trusted Advisor CloudWatch Events rule to detect and notify when a CloudFormation stack has a configuration change.
C. Use AWS CloudTrail to detect and notify when a CloudFormation stack has detected a configuration change.
D. Use an AWS Config rule to detect and notify when a CloudFormation stack has detected a configuration change.