Which solution will meet the tagging requirements?
Create an S3 event notification on the S3 bucket to invoke the Lambda function for s3:ObjectTagging:Put events. Enable bucket versioning on the S3 bucket.
Enable server access logging on the S3 bucket. Create an S3 event notification on the S3 bucket for s3:ObjectTagging:* events.
Create a recurring hourly Amazon EventBridge scheduled rule that invokes the Lambda function. Modify the Lambda function to read the logs from the S3 bucket.
Create an Amazon EventBridge rule that uses Amazon EC2 as the event source. Configure the rule to match events delivered by CloudTrail. Configure the rule to target the Lambda function.
Explanations:
S3 event notifications fors3:ObjectTagging:Putevents are not relevant to tagging EC2 resources. The CloudTrail logs in S3 are used to track resource creation but cannot directly trigger resource tagging via Lambda in this scenario.
Server access logging is used for monitoring access to S3, not for capturing CloudTrail events related to EC2 resource creation. It does not help in tagging EC2 resources.
A recurring EventBridge rule would not trigger in response to real-time EC2 resource creation events. Additionally, CloudTrail logs would not be processed in real-time, which violates the requirement for tagging within the first hour.
EventBridge can trigger on EC2 events delivered by CloudTrail, enabling real-time invocation of the Lambda function to tag resources within the first hour of creation. This satisfies both the tagging requirement and the use of CloudTrail logs.
As far as I can tell, the answer is:
Create an Amazon EventBridge rule that uses Amazon EC2 as the event source. Configure the rule to match events delivered by CloudTrail. Configure the rule to target the Lambda function.