Which combination of steps will meet these requirements?

By:
In: SAP-C02
Tagged:
With: 2 Comments
A company is running an application in the AWS Cloud.The company’s security team must approve the creation of all new IAM users.When a new IAM user is created, all access for the user must be removed automatically.The security team must then receive a notification to approve the user.The company has a multi-Region AWS CloudTrail trail in the AWS account.

Which combination of steps will meet these requirements?

(Choose three.)

Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.

Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic.

Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access.

Invoke an AWS Step Functions state machine to remove access.

Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.

Use Amazon Pinpoint to notify the security team.

Explanations:

Creating an Amazon EventBridge rule with a pattern that matches theCreateUserevent allows for monitoring the specific action of IAM user creation, which is the first step in the workflow to trigger notifications and subsequent actions.

While CloudTrail logs the events, it does not directly send notifications. Instead, notifications should be set up through EventBridge or SNS based on the CloudTrail event. Thus, this option does not contribute directly to the requirements.

Invoking a container in Amazon ECS is not necessary for removing access, and while it could theoretically perform the action, it’s not a standard or optimal method for the use case presented. Directly managing access through IAM policies or roles would be more appropriate.

Using an AWS Step Functions state machine can orchestrate the process of removing user access and facilitate approvals from the security team, ensuring a controlled flow of actions based on the IAM user creation event.

Using Amazon SNS to notify the security team is an effective way to send notifications about the user creation event and obtain the necessary approval, fulfilling the notification requirement.

Amazon Pinpoint is primarily designed for marketing campaigns and user engagement rather than direct notifications for security events, making it less suitable for notifying the security team about IAM user creation.

2026-03-21

2 Comments

  1. Lawrence
    Author

    I sort that the answer is:
    Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.

  2. Gerald
    Author

    I appraise that the answer is:
    Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − 5 =