How should this be accomplished?
Configure AWS Config to publish logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and send a notification to the security team when the administrator role is assumed.
Configure Amazon GuardDuty to monitor when the administrator role is assumed and send a notification to the security team.
Create an Amazon EventBridge event rule using an AWS Management Console sign-in events event pattern that publishes a message to an Amazon SNS topic if the administrator role is assumed.
Create an Amazon EventBridge events rule using an AWS API call that uses an AWS CloudTrail event pattern to invoke an AWS Lambda function that publishes a message to an Amazon SNS topic if the administrator role is assumed.
Explanations:
AWS Config tracks configuration changes and compliance, but it does not provide real-time notifications for role assumptions. Athena can query S3 logs, but this would not provide immediate alerts, making it unsuitable for near-real-time monitoring.
Amazon GuardDuty monitors for suspicious activities and security threats but does not specifically track role assumptions like assuming an administrator role. It does not send notifications for role assumptions directly.
While Amazon EventBridge can monitor console sign-in events, it is not specifically tailored to track the assumption of IAM roles. The focus here is on sign-in events rather than the more granular API call events for role assumption.
Creating an EventBridge rule that monitors AWS CloudTrail events for role assumption provides the most accurate and timely notifications. This approach directly captures the assumption of the administrator role through API calls and can trigger an SNS notification immediately when the event occurs.