Exam AWS DevOps Engineer Professional topic 1 question 62 discussion

D should be right answer as it covers all methods of assuming admin role - not just management console

D is the answer here

The correct answer is option D. Explanation: To track the assumption of an AWS administrator role in near real-time, you can use Amazon CloudWatch Events and AWS CloudTrail. Amazon CloudWatch Events allows you to create rules that can match incoming events and take action on them. You can use an AWS CloudTrail event pattern to match the event where the administrator role is assumed. When an event rule matches an incoming event, it triggers an AWS Lambda function. You can configure the Lambda function to publish a message to an Amazon SNS topic that notifies the security team. Therefore, option D is the correct answer as it provides a near-real-time notification to the security team when the administrator role is assumed by using Amazon EventBridge (CloudWatch Events) events rule, AWS CloudTrail event pattern, AWS Lambda function, and Amazon SNS.

I think it is D

D must be doable. C is much easier.

D is the asnwer. Example: "detail": { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "XYZZYOR:admin", "arn": "arn:aws:sts::123456789012:role/admin", "accountId": "123456789012", "accessKeyId": "XYZZY", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "XYZZYOR", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-02-17T09:41:02Z", "mfaAuthenticated": "false" } } },

Answer is D. Based on the article below, assuming Role using STS ( IAM switchRole feature) is not considered as one of the AWS Console Sign-in events. Only direct sign-in using root and IAM user along with federated sign-in using AWS SSO are considered to be AWS Console Sign-in events. But once you sign in, any role switching performed to login as an administrator in the master account is not considered a sign-in event. Also as it's possible to Assume role using STS: AssumeRole or AssumeRoleWithSAML API and therefore such events will not be logged in as Console Sign-in events even if my above explanation of Console Sign-in events is not accurate. As a result the correct answer is D.

CloudTrail is near real time

REF : https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/

Cloud trail - 'NEAR' real time is the key word

C is right answer.

I go for D Since Cloudtrail deals with taking note of who or what accesses any API(in this instance login and assume roles API)

D https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_apis

The requirement is to track whenever the DevOps engineer assumes Admin role (not the console sign-in events as mentioned in answer C). CloudTrail logs attempts to sign into the AWS Management Console (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html). CloudTrail can be configured to send events to CloudWatch Logs, and CloudWatch sends an SNS notification. The requirement is for a NEAR real time - unfortunately CloudTrail typically delivers logs within an average of about 15 minutes of an API call. This time is not guaranteed.

You can use sns topic as an event bridge target. There’s no need to put lambda in between. This solution is easier to implement, cheaper and more straight forward.

The answer is D There is nothing like an AWS Management Console sign-in events event trigger

https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/ refer this link