AWS Certified Security – Specialty — Question 268

A company recently deployed a new AWS account and wants to be notified immediately if a specific number of unauthorized AWS API requests are detected. A security engineer has turned on AWS CloudTrail for the account and is sending CloudTrail logs to Amazon CloudWatch.
Which other action must the security engineer perform to receive automated alerts about unauthorized AWS API calls?

Answer options

• A. Create a CloudWatch metric filter that looks for API call error codes. Configure an alarm that is based on that metric's rate to send an Amazon Simple Notification Service (Amazon SNS) notification when the threshold is exceeded.
• B. Configure CloudTrail to stream event data to Amazon Kinesis Data Streams. Configure an AWS Lambda function on the stream to initiate an alarm when the threshold is exceeded.
• C. Run an Amazon Athena SQL query against CloudTrail log files for unauthorized API requests. Use Amazon QuickSight to create an operational dashboard.
• D. Use the AWS Personal Health Dashboard to monitor the account's use of AWS services and to provide an alert if service error rates increase.

Correct answer: A

Explanation

Creating a CloudWatch metric filter on the CloudWatch logs enables the detection of specific error codes, such as AccessDenied, which can then increment a custom metric. By associating a CloudWatch alarm with this metric, the system can automatically send an Amazon SNS notification when the error count exceeds the defined threshold. Other solutions like Athena and QuickSight are designed for analysis and visualization rather than instant alerting, while AWS Personal Health Dashboard tracks AWS service degradation, not account-level API authorization failures.