AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 378

A company uses AWS Organizations to manage its AWS accounts. The company wants its monitoring system to receive an alert when a root user logs in. The company also needs a dashboard to display any log activity that the root user generates.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Enable AWS Config with a multi-account aggregator. Configure log forwarding to Amazon CloudWatch Logs.
• B. Create an Amazon QuickSight dashboard that uses an Amazon CloudWatch Logs query.
• C. Create an Amazon CloudWatch Logs metric filter to match root user login events. Configure a CloudWatch alarm and an Amazon Simple Notification Service (Amazon SNS) topic to send alerts to the company's monitoring system.
• D. Create an Amazon CloudWatch Logs subscription filter to match root user login events. Configure the filter to forward events to an Amazon Simple Notification Service (Amazon SNS) topic. Configure the SNS topic to send alerts to the company's monitoring system.
• E. Create an AWS CloudTrail organization trail. Configure the organization trail to send events to Amazon CloudWatch Logs.
• F. Create an Amazon CloudWatch dashboard that uses a CloudWatch Logs Insights query.

Correct answer: C, E, F

Explanation

To capture root login events across all accounts in AWS Organizations, an AWS CloudTrail organization trail must be configured to send events to Amazon CloudWatch Logs (Option E). From there, a CloudWatch Logs metric filter can detect the root logins and trigger a CloudWatch alarm to send alerts via Amazon SNS (Option C). Finally, an Amazon CloudWatch dashboard utilizing a CloudWatch Logs Insights query provides the required visualization of root user activity (Option F).