AWS Certified Security – Specialty — Question 271

A company has a strict policy against using root credentials. The company's security team wants to be alerted as soon as possible when root credentials are used to sign in to the AWS Management Console.
How should the security team achieve this goal?

Answer options

• A. Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
• B. Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
• C. Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
• D. Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).

Correct answer: B

Explanation

Amazon EventBridge (Amazon CloudWatch Events) can detect AWS Management Console sign-in events in near-real-time and route them directly to an Amazon SNS topic for immediate alerting. Using AWS Lambda to periodically query logs introduces unnecessary latency and complexity compared to event-driven rules. Amazon Athena and AWS Resource Access Manager are incorrect because they are not designed for real-time monitoring of console authentication events.