Q94 — AWS SCS-C02 Ch.1
Question 94 of 100 | ← Chapter 1
A company has secured the AWS account root user for its AWS account by following AWS best practices. The company also has enabled AWS CloudTrail, Which is sending its logs to Amazon S3. A security engineer wants to receive notication in near-real time if a user uses the AWS account root user credentials to sign in to the AWS Management Console Which solutions will provide this notication? (Choose two.)
- A. Use AWS Trusted Advisor and its security evaluations for the root account. Congure an Amazon EventBridge event rule that is invoked by the Trusted Advisor API. Congure the rule to target an Amazon Simple Notication Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receive notication.
- B. Use AWS IAM Access Analyzer. Create an Amazon Cloud Watch Logs metric lter to evaluate log entries from Access Analyzer that detect a successful root account login. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Congure the CloudWatch alarm to notify an Amazon Simple Notication Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notication.
- C. Congure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Congure a metric lter on the CloudWatch Logs log group used by CloudTrail to evaluate log entries for successful root account logins. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Congure the CloudWatch alarm to notify an Amazon Simple Notication Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notication. ✓
- D. Congure AWS CloudTrail to send log notications to an Amazon Simple Notication Service (Amazon SNS) topic. Create an AWS Lambda function that parses the CloudTrail notication for root login activity and noties a separate SNS topic that contains the endpoints that should receive notication. Subscribe the Lambda function to the SNS topic that is receiving log notications from CloudTrail. ✓
- E. Congure an Amazon EventBridge event rule that runs when Amazon CloudWatch API calls are recorded for a successful root login. Congure the rule to target an Amazon Simple Notication Service (Amazon SNS) topic. Subscribe any required endpoints to the SNS topic so that these endpoints can receive notication.
Correct Answer: C. Congure AWS CloudTrail to send its logs to Amazon CloudWatch Logs. Congure a metric lter on the CloudWatch Logs log group used by CloudTrail to evaluate log entries for successful root account logins. Create an Amazon CloudWatch alarm that monitors whether a root login has occurred. Congure the CloudWatch alarm to notify an Amazon Simple Notication Service (Amazon SNS) topic when the alarm enters the ALARM state. Subscribe any required endpoints to this SNS topic so that these endpoints can receive notication., D. Congure AWS CloudTrail to send log notications to an Amazon Simple Notication Service (Amazon SNS) topic. Create an AWS Lambda function that parses the CloudTrail notication for root login activity and noties a separate SNS topic that contains the endpoints that should receive notication. Subscribe the Lambda function to the SNS topic that is receiving log notications from CloudTrail.
Explanation
题干要求当AWS根用户登录时近实时接收通知,解决方案需结合CloudTrail日志实时处理能力。AWS最佳实践中,实时监控通常通过CloudTrail与CloudWatch或EventBridge集成实现。选项C正确:CloudTrail日志发送至CloudWatch Logs,配置Metric Filter筛选根用户登录事件(如ConsoleLogin和userIdentity.type=Root),触发CloudWatch Alarm并通过SNS发送通知。此方法符合AWS文档中利用CloudWatch实时处理CloudTrail日志的推荐。选项D正确:CloudTrail日志事件可通过EventBridge路由(尽管选项描述未明确提及),Lambda解析事件并触发SNS。AWS允许通过EventBridge捕获CloudTrail管理事件,实时触发Lambda处理,满足近实时需求。选项描述的流程虽省略EventBridge配置,但通过Lambda处理CloudTrail通知的核心步骤有效。