What should the security engineer do next to meet this requirement?
Within AWS Key Management Service (AWS KMS), specify the deletion time of the key material during CMK creation. AWS KMS will automatically create a CloudWatch alarm.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to look for API calls of DeleteAlias. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the Eventbridge (CloudWatch Events) rule.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to look for API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the Eventbridge (CloudWatch Events) rule.
Create an Amazon Simple Notification Service (Amazon SNS) policy to look for AWS Key Management Service (AWS KMS) API calls of RevokeGrant and ScheduleKeyDeletion. Create an AWS Lambda function to generate the alarm and send the notification to the company. Add the Lambda function as the target of the SNS policy.
Explanations:
AWS KMS does not automatically create CloudWatch alarms based on key material deletion settings. The deletion time specified during CMK creation does not provide proactive monitoring or notifications for key deletions.
TheDeleteAliasAPI call is related to deleting aliases associated with CMKs, not the deletion of the CMK itself. Therefore, monitoring forDeleteAliaswill not fulfill the requirement to notify before a CMK is deleted.
This option correctly identifies the need to monitor for theScheduleKeyDeletionAPI call, which directly relates to the deletion of CMKs. By creating an EventBridge rule to look for bothDisableKeyandScheduleKeyDeletionAPI calls, and triggering a Lambda function to send notifications via SNS, it effectively meets the requirement for alerting before a CMK deletion occurs.
WhileScheduleKeyDeletionis relevant, theRevokeGrantAPI call is unrelated to the deletion of a CMK. This option does not effectively monitor for key deletions, as it combines unrelated actions that do not fulfill the requirement for notifications specifically regarding CMK deletions.
From what I’ve seen, the answer is:
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to look for API calls of DisableKey and ScheduleKeyDeletion. Create an AWS Lambda function to send an Amazon Simple Notification Service (Amazon SNS) message to the company. Add the Lambda function as the target of the Eventbridge (CloudWatch Events) rule.