AWS Certified Solutions Architect – Professional — Question 976

A company is running an application in the AWS Cloud. The company's security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-
Region AWS CloudTrail trail in the AWS account.
Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.
• B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic.
• C. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access.
• D. Invoke an AWS Step Functions state machine to remove access.
• E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.
• F. Use Amazon Pinpoint to notify the security team.

Correct answer: A, D, E

Explanation

To automate this workflow, an Amazon EventBridge rule is used to detect the CreateUser API call captured by AWS CloudTrail. The rule triggers an AWS Step Functions state machine, which is ideal for orchestrating the multi-step process of stripping the user's initial access and handling the approval workflow. Finally, Amazon SNS is the appropriate service to send a notification to the security team for manual approval, whereas Amazon Pinpoint is meant for customer engagement and ECS Fargate introduces unnecessary overhead for this orchestration task.