AWS Certified Security – Specialty — Question 178

A developer reported that AWS CloudTrail was disabled on their account. A security engineer investigated the account and discovered the event was undetected by the current security solution. The security engineer must recommend a solution that will detect future changes to the CloudTrail configuration and send alerts when changes occur.
What should the security engineer do to meet these requirements?

Answer options

• A. Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS.
• B. Create an Amazon CloudWatch Events rule to monitor Amazon GuardDuty findings. Send email notifications using Amazon SNS.
• C. Update security contact details in AWS account settings for AWS Support to send alerts when suspicious activity is detected.
• D. Use Amazon Inspector to automatically detect security issues. Send alerts using Amazon SNS.

Correct answer: B

Explanation

The correct answer is B because creating an Amazon CloudWatch Events rule can directly monitor changes to the CloudTrail configuration and notify stakeholders through Amazon SNS. Options A and D do not specifically address monitoring CloudTrail configuration changes, while option C does not provide a proactive detection mechanism.