AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 241

A company gives its employees limited rights to AWS. DevOps engineers have the ability to assume an administrator role. For tracking purposes, the security team wants to receive a near-real-time notification when the administrator role is assumed.

How should this be accomplished?

Answer options

• A. Configure AWS Config to publish logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and send a notification to the security team when the administrator role is assumed.
• B. Configure Amazon GuardDuty to monitor when the administrator role is assumed and send a notification to the security team.
• C. Create an Amazon EventBridge event rule using an AWS Management Console sign-in events event pattern that publishes a message to an Amazon SNS topic if the administrator role is assumed.
• D. Create an Amazon EventBridge events rule using an AWS API call that uses an AWS CloudTrail event pattern to invoke an AWS Lambda function that publishes a message to an Amazon SNS topic if the administrator role is assumed.

Correct answer: D

Explanation

The correct answer is D because it leverages AWS CloudTrail to monitor API calls related to the administrator role, triggering an AWS Lambda function that sends notifications. Options A and B do not provide a near-real-time alert mechanism, while option C does not utilize CloudTrail, which is essential for tracking role assumptions effectively.