A company has the following security policy for its Amazon Aurora MySQL databases for a...

AWS Config is a fully managed service that provides continuous monitoring and evaluation of AWS resource configurations against desired configuration baselines. According to the AWS Certified Security – Specialty Official Study Guide, AWS Config is the primary service used to track configuration changes, evaluate compliance in near real time, and display compliance states for individual AWS resources.

AWS Config provides managed rules that directly map to the listed Aurora MySQL security requirements, including encryption at rest, public accessibility, deletion protection, and log exports to CloudWatch Logs. These managed rules continuously evaluate resources and mark them as compliant or noncompliant whenever a configuration change occurs.

The AWS Config dashboard enables security engineers to view per-resource and per-rule compliance states at any point in time, satisfying the requirement to display compliance status for each part of the policy.

AWS Audit Manager (Option A) is designed for audit evidence collection and reporting, not continuous monitoring. AWS Security Hub (Option C) aggregates findings from other services but relies on AWS Config for configuration compliance data. Option D introduces unnecessary custom logic and does not provide a native compliance dashboard.

AWS documentation explicitly identifies AWS Config as the authoritative service for continuous compliance monitoring and visibility.

AWS Certified Security – Specialty Official Study Guide

AWS Config Developer Guide

Amazon Aurora Security Best Practices

AWS Well-Architected Framework – Security Pillar