AWS Certified Solutions Architect – Professional (SAP-C02) — Question 114

A company is running an application in the AWS Cloud. The company's security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail in the AWS account.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.
• B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic.
• C. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access.
• D. Invoke an AWS Step Functions state machine to remove access.
• E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.
• F. Use Amazon Pinpoint to notify the security team.

Correct answer: A, D, E

Explanation

The correct steps involve creating an EventBridge rule to detect the CreateUser event (A), using AWS Step Functions to manage the workflow of revoking access (D), and using Amazon SNS to notify the security team (E). Options B and C do not fulfill all requirements; B only handles notifications but does not manage access removal, and C introduces unnecessary complexity with ECS when Step Functions is more suitable.