AWS Certified Security – Specialty (SCS-C02) — Question 220
A company stores sensitive data in AWS Secrets Manager. A security engineer needs to design a solution to generate a notification email when anomalous GetSecretValue API calls occur. The security engineer has configured an Amazon EventBridge rule for all Secrets Manager events that AWS CloudTrail delivers.
Which solution will meet these requirements?
Answer options
- A. Configure CloudTrail as the target of the EventBridge rule. Set up an attribute filter on the IncomingBytes attribute and enable anomaly detection. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudTrail alarm that uses the SNS topic to send the notification.
- B. Configure CloudTrail as the target of the EventBridge rule. Set up an attribute filter on the IncomingBytes attribute and enable anomaly detection. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure a CloudTrail alarm that uses the SQS queue to send the notification.
- C. Configure Amazon CloudWatch Logs as the target of the EventBridge rule. Set up a metric filter on the IncomingBytes metric and enable anomaly detection. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure a CloudWatch alarm that uses the SNS topic to send the notification.
- D. Configure Amazon CloudWatch Logs as the target of the EventBridge rule. Use CloudWatch Logs Insights query syntax to search for anomalous GetSecretValue API calls. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure a CloudWatch alarm that uses the SQS queue to send the notification.
Correct answer: C
Explanation
Option C is correct because it uses Amazon CloudWatch Logs with a metric filter on IncomingBytes and enables anomaly detection, which meets the requirement for notification upon detecting unusual API calls. Options A and B incorrectly suggest using CloudTrail as the target instead of CloudWatch Logs, and they do not utilize metric filters for anomaly detection. Option D, while using CloudWatch Logs, relies on query syntax rather than metric filters, which does not align with the requirements for monitoring API calls.