Q20 — AWS DOP-C02 Ch.1
Question 20 of 100 | ← Chapter 1
A company uses AWS Organizations to centrally manage AWS accounts. Its automation account hosts a CI/CD pipeline used to create and configure new AWS accounts. The company has an internal service team that provides services across accounts in the organization. The service team operates using a set of service accounts. When the CreateAccount API is called to create a new account, the service team wants to receive an AWS CloudTrail event in one of its service accounts.
- A. Create an Amazon EventBridge rule in the automation account that sends the account creation event to the default event bus in the service account. Update the default event bus in the service account to allow events from the automation account. ✓
- B. Create a custom Amazon EventBridge event bus in the service account. Update the custom event bus to allow events from the automation account. Create an EventBridge rule in the service account that listens directly to CloudTrail events from the automation account.
- C. Create custom Amazon EventBridge event buses in both the automation account and the service account. Create EventBridge rules and resource policies connecting the custom event buses across accounts.
- D. Create a custom Amazon EventBridge event bus in the automation account. Create an EventBridge rule and resource policy that connects the custom event bus to the default event bus in the service account.
Correct Answer: A. Create an Amazon EventBridge rule in the automation account that sends the account creation event to the default event bus in the service account. Update the default event bus in the service account to allow events from the automation account.
Explanation
AWS EventBridge default event buses support cross-account event delivery natively. To deliver CloudTrail events from the automation account to the service account, the recommended pattern is: (1) route the event from the automation account using an EventBridge rule targeting the service account’s default event bus; (2) add a resource-based policy to the service account’s default event bus permitting PutEvents from the automation account. Option A follows this exact, documented pattern. Options B, C, and D unnecessarily introduce custom event buses or misconfigure the target, violating the principle of least complexity and deviating from AWS best practices for cross-account CloudTrail event delivery.