Which solution will meet these requirements?
Implement an AWS CloudTrail trail as an organizational trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
Implement an AWS CloudTrail trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to send messages to an Amazon Simple Queue Service (Amazon SQS) queue.
Implement an AWS CloudTrail trail as an organizational trail. Configure the trail to store logs in an Amazon S3 bucket. Configure an Amazon EC2 instance to mount the S3 bucket as a file system to ingest new log files that are pushed to the S3 bucket. Configure the EC2 instance also to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic when one of the specified actions is found in the logs.
Implement an AWS CloudTrail trail. Configure the trail to store logs in an Amazon S3 bucket. Each hour, create an AWS Glue Data Catalog that references the S3 bucket. Configure Amazon Athena to initiate queries against the Data Catalog to identify the specified actions in the logs.
Explanations:
Option A correctly implements an organizational CloudTrail trail, which logs user actions across all accounts in AWS Organizations. It forwards logs to CloudWatch Logs, where a metric filter is set to track specified events. CloudWatch alarms are then configured to send alerts via SNS, meeting the requirement for real-time alerts.
While this option uses CloudTrail and CloudWatch Logs to monitor events, it incorrectly sends alerts to an SQS queue instead of an SNS topic. SQS queues are used for message queuing, not direct alerts, so this does not meet the requirement of sending alerts to an email distribution list in real-time.
This option uses CloudTrail and an S3 bucket for log storage. While it could detect user actions, it requires an EC2 instance to process logs, which is inefficient, slow, and not scalable. This solution also does not provide near real-time alerts, making it less suitable for the company’s needs.
This option involves storing CloudTrail logs in an S3 bucket and using Athena to query logs for specified actions. However, Athena queries would not provide real-time alerts, as they are scheduled and not designed for immediate response. It also does not integrate with SNS for direct alert notifications.
I appraise that the answer is:
Implement an AWS CloudTrail trail as an organizational trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.