Which combination of steps should the DevOps engineer take to meet these requirements?
(Choose three.)
Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail.
Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail.
Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.
Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.
Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team’s group email address to the topic.
Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team’s group email address to the queue.
Explanations:
Creating an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail allows for monitoring when new IAM users are created. This is essential for triggering subsequent actions to disable their credentials.
An EventBridge rule that reacts to an IAM GetLoginProfile API call would not meet the requirement, as it triggers when a login profile is retrieved, not when a user is created. This does not help in immediately disabling credentials of new IAM users.
An AWS Lambda function configured as a target of the EventBridge rule can be used to disable access keys and delete login profiles associated with the newly created IAM user. This ensures immediate action is taken to prevent access.
While deleting the login profiles is a part of securing the account, it does not fully meet the requirement of disabling any access keys for the new IAM user. Hence, this alone is insufficient.
Creating an Amazon Simple Notification Service (SNS) topic and subscribing the security team’s email to it ensures that they are notified whenever a new IAM user is created and their credentials are disabled, meeting the notification requirement.
Creating an Amazon SQS queue as a target for the Lambda function does not directly notify the security team. They would not receive immediate email notifications; thus, it does not fulfill the requirement for notifying the team about the event.