AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 73

A DevOps engineer at a company is supporting an AWS environment in which all users use AWS IAM Identity Center (AWS Single Sign-On). The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification.
Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

Answer options

• A. Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail.
• B. Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail.
• C. Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.
• D. Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.
• E. Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team's group email address to the topic.
• F. Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team's group email address to the queue.

Correct answer: A, C, E

Explanation

The correct answer includes creating an EventBridge rule for the IAM CreateUser API call (A), which detects new users, and a Lambda function (C) that disables access keys and deletes login profiles to enhance security. Additionally, an SNS topic (E) is necessary to notify the security team. The other options do not meet all requirements; for example, option B involves a GetLoginProfile API call which is not relevant for user creation, and option D only removes login profiles without disabling access keys.