Which combination of steps should the DevOps engineer take to meet these requirements?
(Choose three.)
Create an Amazon EventBridge rule that reacts to an IAM CreateUser API call in AWS CloudTrail.
Create an Amazon EventBridge rule that reacts to an IAM GetLoginProfile API call in AWS CloudTrail.
Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to disable any access keys and delete the login profiles that are associated with the IAM user.
Create an AWS Lambda function that is a target of the EventBridge rule. Configure the Lambda function to delete the login profiles that are associated with the IAM user.
Create an Amazon Simple Notification Service (Amazon SNS) topic that is a target of the EventBridge rule. Subscribe the security team’s group email address to the topic.
Create an Amazon Simple Queue Service (Amazon SQS) queue that is a target of the Lambda function. Subscribe the security team’s group email address to the queue.
Explanations:
Creating an EventBridge rule that reacts to an IAM CreateUser API call in CloudTrail will detect when a new IAM user is created, which is necessary for triggering actions based on new users.
The IAM GetLoginProfile API call retrieves the login profile of an existing user. This is not relevant to disabling new IAM user credentials as required by the question.
A Lambda function can disable any access keys and delete login profiles associated with the newly created IAM user, fulfilling the requirement to immediately disable credentials.
Deleting login profiles alone does not meet the requirement to disable the credentials, as access keys also need to be disabled for complete action.
An SNS topic can be set up as a target of the EventBridge rule, and the security team can be notified via email by subscribing to the topic, fulfilling the notification requirement.
SQS is not necessary for this use case. The security team’s email notification can be handled directly through SNS without the need for SQS.