AWS Certified Data Engineer – Associate (DEA-C01) — Question 149

A company stores its processed data in an S3 bucket. The company has a strict data access policy. The company uses IAM roles to grant teams within the company different levels of access to the S3 bucket.

The company wants to receive notifications when a user violates the data access policy. Each notification must include the username of the user who violated the policy.

Which solution will meet these requirements?

Answer options

• A. Use AWS Config rules to detect violations of the data access policy. Set up compliance alarms.
• B. Use Amazon CloudWatch metrics to gather object-level metrics. Set up CloudWatch alarms.
• C. Use AWS CloudTrail to track object-level events for the S3 bucket. Forward events to Amazon CloudWatch to set up CloudWatch alarms.
• D. Use Amazon S3 server access logs to monitor access to the bucket. Forward the access logs to an Amazon CloudWatch log group. Use metric filters on the log group to set up CloudWatch alarms.

Correct answer: C

Explanation

The correct answer is C because AWS CloudTrail tracks object-level actions in the S3 bucket, allowing the company to receive detailed information about access violations, including usernames. Option A is incorrect as AWS Config is for resource compliance rather than specific access violations. Option B focuses on metrics but does not provide the necessary user-level details. Option D provides access logs but lacks the real-time alert capabilities that CloudTrail offers.