Q68 — AWS DOP-C02 Ch.1
Question 68 of 100 | ← Chapter 1
A highly regulated company has implemented a policy prohibiting DevOps engineers from logging into Amazon EC2 instances except during emergencies. If login does occur, the security team must be notified within 15 minutes. Which solution meets these requirements?
- A. Install the Amazon Inspector agent on each EC2 instance. Subscribe to Amazon CloudWatch Events notifications. Trigger an AWS Lambda function to inspect messages for user login events and send notifications via Amazon SNS to the security team.
- B. Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up CloudWatch metric filters to search for user login events. If detected, send notifications via Amazon SNS to the security team. ✓
- C. Configure AWS CloudTrail with Amazon CloudWatch Logs. Subscribe CloudWatch Logs to Amazon Kinesis. Attach an AWS Lambda function to Kinesis to parse logs and identify login events, then notify the security team via Amazon SNS.
- D. Deploy a script on each Amazon EC2 instance to push logs to Amazon S3. Configure S3 event notifications to trigger an AWS Lambda function that invokes Amazon Athena to query logs for login events and sends results via Amazon SNS to the security team.
Correct Answer: B. Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up CloudWatch metric filters to search for user login events. If detected, send notifications via Amazon SNS to the security team.
Explanation
The requirement is real-time detection of EC2 logins and notification within 15 minutes. Option B uses the CloudWatch agent to stream logs directly to CloudWatch Logs, applies metric filters to detect login patterns (e.g., SSH or system auth logs), and triggers SNS notifications immediately upon match — satisfying timeliness, automation, and reliability. Option A relies on Amazon Inspector, which focuses on security assessments, not login auditing. Option C adds unnecessary complexity with Kinesis. Option D introduces latency via S3 storage and Athena querying. Therefore, Option B is optimal.