Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 117 discussion

Event Bus (EventBridge) system to receive event notification (Option A). Step function can get triggered with workflow of doing steps like removing access and sending email etc..(Option D, E) EventBridge enables you to create event rules that match events from different sources, such as AWS services, SaaS applications, custom applications, and other AWS accounts. Once an event rule is triggered, EventBridge can route the event to one or more targets, such as AWS Lambda functions, Amazon SNS topics, Amazon SQS queues, or custom HTTP endpoints. AWS Step Functions supports several AWS services, such as AWS Lambda, Amazon Simple Notification Service (SNS), and Amazon Simple Queue Service (SQS). You can use these services to trigger actions and pass data between steps in your state machine. Pinpoint is chat system which question did not ask, F is wrong. Not C as

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser. D. Invoke an AWS Step Functions state machine to remove access. E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.

Option ADE: Most people agree with option AE. There can be situations where human intervention is required before the workflow can progress. For example, approving a substantial credit increase may require human approval https://docs.aws.amazon.com/step-functions/latest/dg/use-cases-security-automation.html

Why not BCE? or ACE? How to use Step Function to remove permission?

Poorly constructed answer choices, but ADE is the least worst option.

I picked ADE. EventBridge, Lambda / Step Function, and SNS are required. BDE: No. CloudTrail can't trigger Step Function directly. ABE: No. This solution can't remove the user access automatically. Choosing B alone without A can't directly trigger Lambda / Step functions to remove the user access. C can't compare with D. F is not relevant.

Eventbridge is not needed. Cloudtrail can send notifications to SNS directly https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html

Step function is a process/workflow orchestrator. Usually process/workflow orchestrator doesn’t do actual task, cause the objective of a orchestrator is to maintain the stage of a process/workflow. Instead, the orchestrator call a service to complete the task and update the stage. So the task of removing access should be done by a Lambda function. Since lambda function is not an option, the only applicable option is C, while ECS introduces too much administration overhead, and is a very bad choice for this task.

A, D and E

ADE. have to assume the step function calls lambda or some such to actually perform action

I've chosen the EventBridge option (A) because I really was not able to find a way to set Cloudtrail to trigger SNS on it's own. The rest 2 are common sense

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser. B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic. E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.

ADE is right

ADE Step Functions works.

I like ACE better. I am not sure Step Functions would work.

ADE are correct

This is the correct answer because it follows these steps: - A: The first step is to create an EventBridge rule that listens for the specific API call to create a new IAM user. This will trigger the next step in the process. - D: The next step is to use an AWS Step Functions state machine to remove access for the new IAM user. This ensures that access is removed automatically, as required by the security team. - E: Finally, use Amazon SNS to notify the security team that a new user has been created and access has been removed. This allows the security team to review and approve the user as necessary. Option B is not correct because CloudTrail alone is not able to remove access for the new user. Option C is not correct because it is not specified in the question that the company is using Amazon Elastic Container Service and AWS Fargate technology. Option F is not correct because the question specifies that the company should use Amazon SNS to notify the security team, not Amazon Pinpoint.