Q25 — AWS DOP-C02 Ch.1
Question 25 of 100 | ← Chapter 1
A DevOps engineer wants to implement an automated response when AWS Trusted Advisor detects IAM access keys in public source code repositories. The automated response should delete exposed access keys and notify the security team.
- A. Create an AWS Lambda function to delete IAM access keys. Configure AWS CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions: first, invoke the Lambda function; second, send a notification to the security team using Amazon Simple Notification Service (Amazon SNS).
- B. Create an AWS Lambda function to delete IAM access keys. Create an AWS Config rule with two actions for status changes of 'aws.trustedadvisor' and 'Exposed Access Keys'. First, run the Lambda function; second, send a notification to the security team using Amazon Simple Notification Service (Amazon SNS).
- C. Create an AWS Lambda function to delete IAM access keys and use Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an AWS Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event and configure the Personal Health Dashboard rule target as the Lambda function's ARN.
- D. Create an AWS Lambda function to delete IAM access keys. Create an Amazon EventBridge (Amazon CloudWatch Events) rule using the 'aws.trustedadvisor' event source and the 'Exposed Access Keys' status. Configure the EventBridge (CloudWatch Events) rule to invoke the Lambda function and publish to an Amazon SNS topic for notifying the security team. ✓
Correct Answer: D. Create an AWS Lambda function to delete IAM access keys. Create an Amazon EventBridge (Amazon CloudWatch Events) rule using the 'aws.trustedadvisor' event source and the 'Exposed Access Keys' status. Configure the EventBridge (CloudWatch Events) rule to invoke the Lambda function and publish to an Amazon SNS topic for notifying the security team.
Explanation
AWS Trusted Advisor can detect IAM access keys in public source code repositories and trigger automated responses. To meet the DevOps engineer's requirement of automatically deleting exposed access keys and notifying the security team, a solution must respond to Trusted Advisor detection events. Option D correctly uses Amazon EventBridge to capture Trusted Advisor events and route them to both a Lambda function and an SNS topic—enabling both remediation and notification in a single, native, serverless workflow. Other options misapply CloudTrail, AWS Config, or Personal Health Dashboard, none of which natively emit Trusted Advisor findings as actionable events.