How should this be accomplished?
Configure AWS Config to publish logs to an Amazon S3 bucket. Use Amazon Athena to query the logs and send a notification to the security team when the administrator role is assumed.
Configure Amazon GuardDuty to monitor when the administrator role is assumed and send a notification to the security team.
Create an Amazon EventBridge (Amazon CloudWatch Events) event rule using an AWS Management Console sign-in events event pattern that publishes a message to an Amazon SNS topic if the administrator role is assumed.
Create an Amazon EventBridge (Amazon CloudWatch Events) events rule using an AWS API call that uses an AWS CloudTrail event pattern to trigger an AWS Lambda function that publishes a message to an Amazon SNS topic if the administrator role is assumed.
Explanations:
AWS Config is used to track resource configurations and changes, not for monitoring specific API calls like assuming roles. Athena can query logs, but it is not real-time and would not provide immediate notifications for role assumption.
Amazon GuardDuty is a threat detection service that primarily monitors for unusual or malicious activity, not for monitoring role assumptions. GuardDuty would not be the best fit for this use case.
Amazon EventBridge (CloudWatch Events) can be used to detect console sign-in events, but this does not specifically track the assumption of an IAM role. The event pattern needs to be designed for API calls related to assuming roles.
Using AWS CloudTrail events in EventBridge (CloudWatch Events) is the right approach. CloudTrail logs API calls, including role assumptions. An event rule can be configured to trigger a Lambda function that sends a notification when the administrator role is assumed.