Q31 — AWS DOP-C02 Ch.1
Question 31 of 100 | ← Chapter 1
A company grants limited AWS permissions to employees. DevOps engineers assume administrator roles. For auditing purposes, the security team wants near real-time notifications when an administrator role is assumed.
- A. Configure AWS Config to deliver logs to an Amazon S3 bucket. Use Amazon Athena to query logs and send notifications to the security team when an administrator role is assumed.
- B. Configure Amazon GuardDuty to monitor when an administrator role is assumed and send notifications to the security team.
- C. Create an Amazon EventBridge (Amazon CloudWatch Events) rule using an AWS Management Console sign-in event pattern that publishes to an Amazon SNS topic when an administrator role is assumed.
- D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule triggered by AWS CloudTrail event patterns via an AWS API call, invoking an AWS Lambda function that publishes to an Amazon SNS topic when an administrator role is assumed. ✓
Correct Answer: D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule triggered by AWS CloudTrail event patterns via an AWS API call, invoking an AWS Lambda function that publishes to an Amazon SNS topic when an administrator role is assumed.
Explanation
Option D is correct because CloudTrail logs all AWS API calls—including AssumeRole—and provides comprehensive, near real-time event capture across all authentication methods (CLI, SDK, console, etc.). EventBridge rules listening to CloudTrail events (e.g., eventName = AssumeRole and userIdentity.type = AssumedRole) ensure coverage of all role assumption paths. Option C only covers console sign-ins, missing CLI/API usage. Option A relies on AWS Config, which does not track IAM role assumptions. Option B misapplies GuardDuty, which detects anomalies—not routine role assumptions.