Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 117 discussion

Event Bus (EventBridge) system to receive event notification (Option A). Step function can get triggered with workflow of doing steps like removing access and sending email etc..(Option D, E) EventBridge enables you to create event rules that match events from different sources, such as AWS services, SaaS applications, custom applications, and other AWS accounts. Once an event rule is triggered, EventBridge can route the event to one or more targets, such as AWS Lambda functions, Amazon SNS topics, Amazon SQS queues, or custom HTTP endpoints. AWS Step Functions supports several AWS services, such as AWS Lambda, Amazon Simple Notification Service (SNS), and Amazon Simple Queue Service (SQS). You can use these services to trigger actions and pass data between steps in your state machine. Pinpoint is chat system which question did not ask, F is wrong. Not C as

When a new IAM user is created, CloudTrail logs the CreateUser event. EventBridge matches the event and triggers a Step Functions state machine, which removes access by calling IAM actions like detaching policies or disabling the login profile. The state machine then uses SNS to notify the security team. This architecture is fully serverless, scalable, and provides auditability, fulfilling all requirements from detection to access mitigation and alerting.

I Just do not see any reasoning to use step functions. There is no orchestration is involved here. you Just need lambda or Fargate to remove the access. D does not say anything about lambda step at all i think it is just distractor

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser. D. Invoke an AWS Step Functions state machine to remove access. E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.

Option ADE: Most people agree with option AE. There can be situations where human intervention is required before the workflow can progress. For example, approving a substantial credit increase may require human approval https://docs.aws.amazon.com/step-functions/latest/dg/use-cases-security-automation.html

Why not BCE? or ACE? How to use Step Function to remove permission?

Poorly constructed answer choices, but ADE is the least worst option.

I picked ADE. EventBridge, Lambda / Step Function, and SNS are required. BDE: No. CloudTrail can't trigger Step Function directly. ABE: No. This solution can't remove the user access automatically. Choosing B alone without A can't directly trigger Lambda / Step functions to remove the user access. C can't compare with D. F is not relevant.

Eventbridge is not needed. Cloudtrail can send notifications to SNS directly https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html

Step function is a process/workflow orchestrator. Usually process/workflow orchestrator doesn’t do actual task, cause the objective of a orchestrator is to maintain the stage of a process/workflow. Instead, the orchestrator call a service to complete the task and update the stage. So the task of removing access should be done by a Lambda function. Since lambda function is not an option, the only applicable option is C, while ECS introduces too much administration overhead, and is a very bad choice for this task.

A, D and E

ADE. have to assume the step function calls lambda or some such to actually perform action

I've chosen the EventBridge option (A) because I really was not able to find a way to set Cloudtrail to trigger SNS on it's own. The rest 2 are common sense

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser. B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic. E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.

ADE is right

ADE Step Functions works.

I like ACE better. I am not sure Step Functions would work.