Exam AWS Certified Security - Specialty topic 1 question 215 discussion

Cloudwatch + lamdba + SNS required. The closest would be option A? https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/

A - https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/

A is the best answer here, as already posted: https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/ 1. An Amazon CloudWatch Events rule detects any AWS account root user API events. 2. It triggers an AWS Lambda function. 3. The Lambda function then processes the root API event. It also publishes a message to an Amazon SNS topic, where the subject contains the AWS account ID or AWS account alias where the root API call was detected and the type of API activity. 4. The SNS topic then sends notifications to its email subscribers about this event.

Both option A (Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification) and option C (Set up a rule in AWS Config to trigger root user events, trigger an AWS Lambda function, and generate notifications using Amazon SNS) can be valid solutions for monitoring the root user's activity and sending notifications. The choice between these options may depend on specific requirements and preferences within the AWS environment. But option C is what I previously used (now enhanced to using cloud custodian) to set-up root activity monitoring in our company so I go for option C.

The correct answer is A. Set up an Amazon CloudWatch Events rule that triggers an Amazon SNS notification. Options B, C, and D are not the best choices: B. Creating root user access keys is against AWS best practices. Furthermore, parsing AWS CloudTrail logs from S3 would not be as immediate as using CloudWatch Events. C. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources, but it's not designed to monitor real-time user activity or root account usage. D. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS, but it's not designed to monitor root user activity.

Option C is the correct solution. By setting up a rule in AWS Config to trigger root user events, such as root user logins or API calls, the security engineer can detect root user usage. The triggered events can then be used to invoke an AWS Lambda function, which can generate notifications using Amazon SNS to alert the security team. This solution ensures that root user activities are monitored, and alerts are sent in a timely manner. Therefore, option C is the solution that meets the requirements of not using the root user for daily work, monitoring root user usage, and alerting the security team promptly.

It is only A. C is ruled out because of https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html

Option A.

A is answer

A 100%

A and this is very similar to the previous question. The two takeaways are monitor which is Cloudwatch and reporting which is SNS

A. https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/

A is answer Cloudwatch + cloudtrail + sns

A is the right response, C false : config is not used to monitor and it's trigger when they are config changes , and the rule defined in config check only for mfa or key access of root not check when root is used.

Its A.... kind of a bleed off from the previous question.

A. Console sign in event in CWE + SNS

A is answer 100%