Question 12

Domain 2: Security Logging and Monitoring

A company wants to know when users make changes to IAM roles in the company's AWS account. The company uses Amazon CloudWatch and AWS CloudTrail in the account. The company has configured a CloudTrail trail to capture read and write API activity for management events. The company has an Amazon Simple Notification Service (Amazon SNS) topic for security notifications. A security engineer must implement a solution that provides a notification when an IAM role is edited. Which solution will meet this requirement?

A. Enable Amazon Detective. Run a Detective investigation for changes to IAM roles. Create an Amazon EventBridge rule that monitors the results of the Detective investigation. Set the SNS topic as the target of the EventBridge rule. B. Create an Amazon EventBridge rule that monitors AWS API calls from CloudTrail. Scope the event pattern to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the EventBridge rule. C. Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Set up a CloudWatch metric to monitor changes to IAM roles from the lam.amazonaws.com event source. Create a subscription filter for the log group. Set the SNS topic as the target of the subscription filter. D. Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Create a subscription filter that includes an event pattemn to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the subscription filter.

Correct answer: B

Explanation

CloudTrail management events capture IAM API activity, and EventBridge can match those API calls in real time. An event pattern for "iam.amazonaws.com" role-change actions can trigger the SNS topic, so a notification is sent when an IAM role is edited.

Why each option is right or wrong

Amazon Detective supports investigation and analysis, not primary real-time alerting for IAM role edits.

B. Create an Amazon EventBridge rule that monitors AWS API calls from CloudTrail. Scope the event pattern to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the EventBridge rule.

CloudTrail management events record IAM control-plane API calls, and EventBridge can match those events in near real time using the CloudTrail event stream. The relevant event source is `iam.amazonaws.com`, and role-edit actions such as `CreateRole`, `UpdateRole`, `AttachRolePolicy`, or `PutRolePolicy` can be filtered in an EventBridge rule and sent directly to the SNS topic as the target.

C. Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Set up a CloudWatch metric to monitor changes to IAM roles from the lam.amazonaws.com event source. Create a subscription filter for the log group. Set the SNS topic as the target of the subscription filter.

CloudWatch metrics and subscription filters are different mechanisms; SNS is not the normal subscription filter target.

D. Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Create a subscription filter that includes an event pattemn to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the subscription filter.

CloudWatch Logs subscription filters stream log events for processing, not direct SNS notifications for API changes.

Previous Next