Q31 — AWS DOP-C02 Ch.1

Question 31 of 100 | ← Chapter 1

A company grants limited AWS permissions to employees. DevOps engineers assume administrator roles. For auditing purposes, the security team wants near real-time notifications when an administrator role is assumed.

Correct Answer: D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule triggered by AWS CloudTrail event patterns via an AWS API call, invoking an AWS Lambda function that publishes to an Amazon SNS topic when an administrator role is assumed.

Explanation

Option D is correct because CloudTrail logs all AWS API calls—including AssumeRole—and provides comprehensive, near real-time event capture across all authentication methods (CLI, SDK, console, etc.). EventBridge rules listening to CloudTrail events (e.g., eventName = AssumeRole and userIdentity.type = AssumedRole) ensure coverage of all role assumption paths. Option C only covers console sign-ins, missing CLI/API usage. Option A relies on AWS Config, which does not track IAM role assumptions. Option B misapplies GuardDuty, which detects anomalies—not routine role assumptions.