The correct answers are: Activate AWS Config and define rules to monitor and evaluate compliance of EC2 instances and security groups and Enable AWS CloudTrail to capture API activity logs across all AWS services for auditing purposes.

AWS Config continuously records configuration changes to AWS resources and allows you to define compliance rules. This service is crucial for identifying misconfigured security groups or oversized EC2 instances and ensures that changes align with organizational policies. You can use it to track historical configuration changes, receive notifications for rule violations, and enforce remediation actions.

AWS CloudTrail complements AWS Config by capturing a history of API calls made across your AWS environment. It records who made a change, when it was made, and what actions were taken, which is essential for audit trails, security analysis, and incident response.

The option Enable AWS Trusted Advisor and review the security dashboard for best practices and recommendations is helpful but not sufficient. Trusted Advisor provides general recommendations, not real-time tracking of user activity or specific configuration changes. It cannot enforce compliance or provide the detailed logging needed for auditing.

The option Create data lifecycle policies for EC2 instances to manage and archive outdated configurations is unrelated to compliance or tracking unauthorized changes. Lifecycle policies apply more to managing data in Amazon EBS or S3, not to auditing configuration changes or EC2 provisioning practices.

The option Roll back unwanted infrastructure changes using a predefined AWS CloudFormation template is reactive and does not provide visibility or alerting. While it might restore desired configurations, it lacks the monitoring and audit capabilities required to identify and track changes in the first place.

This question is important because it tests your understanding of governance, compliance, and visibility in AWS. Tracking resource configurations and user actions is a cornerstone of cloud security and operational integrity. AWS Config and CloudTrail together provide a powerful combination of monitoring and auditing that helps enforce organizational policies effectively.

A helpful trick is to remember that AWS Config is for configuration auditing and compliance, while CloudTrail is for tracking API activity and user actions. These two services are commonly paired to ensure full coverage of change control and governance requirements in AWS environments.

Full AWS Practitioner Certification Question