Q38 — AWS SAP-C02 Ch.1
Question 38 of 75 | ← Chapter 1
Q113. A company is running an application in the AWS Cloud. The company's security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail in the AWS account. Which combination of steps will meet these requirements?(Select THREE.)
- A. Create an Amazon EventBridge rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser ✓
- B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic
- C. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access
- D. Invoke an AWS Step Functions state machine to remove access ✓
- E. Use Amazon Simple Notification Service(Amazon SNS) to notify the security team ✓
- F. Use Amazon Pinpoint to notify the security team
Correct Answer: A. Create an Amazon EventBridge rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser, D. Invoke an AWS Step Functions state machine to remove access, E. Use Amazon Simple Notification Service(Amazon SNS) to notify the security team
Explanation
- A: The first step is to create an EventBridge rule that listens for the specific API call to create a new IAM user. This will trigger the next step in the process.- D: The next step is to use an AWS Step Functions state machine to remove access for the new IAM user. This ensures that access is removed automatically, as required by the security team.- E: Finally, use Amazon SNS to notify the security team that a new user has been created and access has been removed. This allows the security team to review and approve the user as necessary.Option B is not correct because CloudTrail alone is not able to remove access for the new user.Option C is not correct because it is not specified in the question that the company is using Amazon Elastic Container Service and AWS Fargate technology.Option F is not correct because the question specifies that the company should use Amazon SNS to notify the security team, not Amazon Pinpoint.