Which combination of steps should the DevOps engineer take to meet these requirements?

Explanations:

Creating an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail allows for monitoring when new IAM users are created. This is essential for triggering subsequent actions to disable their credentials.

An EventBridge rule that reacts to an IAM GetLoginProfile API call would not meet the requirement, as it triggers when a login profile is retrieved, not when a user is created. This does not help in immediately disabling credentials of new IAM users.

An AWS Lambda function configured as a target of the EventBridge rule can be used to disable access keys and delete login profiles associated with the newly created IAM user. This ensures immediate action is taken to prevent access.

While deleting the login profiles is a part of securing the account, it does not fully meet the requirement of disabling any access keys for the new IAM user. Hence, this alone is insufficient.

Creating an Amazon Simple Notification Service (SNS) topic and subscribing the security team’s email to it ensures that they are notified whenever a new IAM user is created and their credentials are disabled, meeting the notification requirement.

Creating an Amazon SQS queue as a target for the Lambda function does not directly notify the security team. They would not receive immediate email notifications; thus, it does not fulfill the requirement for notifying the team about the event.