How should the security engineer meet these requirements?
Create a cron job that runs a script to download the AWS IAM security credentials file, parse the file for account root user logins, and email the security team’s distribution list.
Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account root user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the security team’s distribution list.
Save AWS CloudTrail logs to an Amazon S3 bucket in the security team’s account. Process the CloudTrail logs with the security engineer’s logging solution for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events.
Save VPC Flow Logs to an Amazon S3 bucket in the security team’s account, and process the VPC Flow Logs with their logging solutions for account root user logins. Send an Amazon SNS notification to the security team upon encountering the account root user login events.
Explanations:
A cron job that runs a script to download and parse IAM credentials is not a scalable or efficient solution. AWS CloudTrail is the proper service for capturing login events, and this approach introduces complexity and is prone to errors.
Using AWS CloudTrail with CloudWatch Events to detect root user logins and trigger an SNS notification is an automated, near-real-time solution. CloudTrail records API activity, and CloudWatch Events can trigger Lambda to notify via SNS.
Saving CloudTrail logs to S3 and processing them manually with a logging solution introduces delay and complexity. It is not a near-real-time approach, and would require additional setup for log processing.
VPC Flow Logs capture network traffic but do not record IAM user activities or account logins. They are not suitable for detecting root user logins, which are better captured by CloudTrail.
I sort that the answer is:
Run AWS CloudTrail logs through Amazon CloudWatch Events to detect account root user logins and trigger an AWS Lambda function to send an Amazon SNS notification to the security team’s distribution list.