AWS Certified DevOps Engineer – Professional — Question 199

A DevOps engineer wants to implement an automated response that will occur if AWS Trusted Advisor detects an IAM access key in a public source code repository. The automated response must delete the exposed access key and must notify the security team.
Which solution will meet these requirements?

Answer options

• A. Create an AWS Lambda function to delete the 1AM access key. Configure AWS CloudTrail logs to stream to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the AWS_RISK_CREDENTIALS_EXPOSED event with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.
• B. Create an AWS Lambda function to delete the IAM access key. Create an AWS Config rule for changes to "aws.trustedadvisor" and the "Exposed Access Keys" status with two actions. First, run the Lambda function. Second, use Amazon Simple Notification Service (Amazon SNS) to send a notification to the security team.
• C. Create an AWS Lambda function that deletes the IAM access key and then uses Amazon Simple Notification Service (Amazon SNS) to notify the security team. Create an AWS Personal Health Dashboard rule for the AWS_RISK_CREDENTIALS_EXPOSED event. Set the target of the Personal Health Dashboard rule to the ARN of the Lambda function.
• D. Create an AWS Lambda function that deletes the IAM access key. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an "aws.trustedadvisor" event source and the "Exposed Access Keys" status. Set the EventBridge (CloudWatch Events) rule to target the Lambda function and an Amazon Simple Notification Service (Amazon SNS) topic that notifies the security team.

Correct answer: D

Explanation

Option D is correct as it leverages Amazon EventBridge to trigger the Lambda function when an 'Exposed Access Keys' event occurs, and it also integrates SNS for notifications. Option A relies on CloudTrail logs and metric filters, which may not provide the immediate response required. Option B uses AWS Config, which is not specifically designed for this type of event handling. Option C uses a Personal Health Dashboard, which is not applicable for this use case.