AWS Certified DevOps Engineer – Professional — Question 179

A DevOps engineer at a company is supporting an AWS environment in which all users use AWS IAM identity Center (AWS Single Sign-On). The company wants to immediately disable credentials of any new IAM user and wants the security team to receive a notification.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose three.)

Answer options

• A. Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail.
• B. Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail.
• C. Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.
• D. Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.
• E. Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team’s group email address to the topic.
• F. Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team's group email address to the queue.

Correct answer: A, C, E

Explanation

Option A is correct because it captures the event of creating a new IAM user, which is necessary for the subsequent actions. Option C is correct as it ensures that the access keys and login profiles are disabled and deleted, meeting the requirement to disable credentials. Option E is correct since it sets up a notification mechanism for the security team. Options B, D, and F do not fulfill all requirements as they either do not address the creation of IAM users or do not provide the necessary notifications.