Which other action must the security engineer perform to receive automated alerts about unauthorized AWS API calls?
Create a CloudWatch metric filter that looks for API call error codes. Configure an alarm that is based on that metric’s rate to send an Amazon Simple Notification Service (Amazon SNS) notification when the threshold is exceeded.
Configure CloudTrail to stream event data to Amazon Kinesis Data Streams. Configure an AWS Lambda function on the stream to initiate an alarm when the threshold is exceeded.
Run an Amazon Athena SQL query against CloudTrail log files for unauthorized API requests. Use Amazon QuickSight to create an operational dashboard.
Use the AWS Personal Health Dashboard to monitor the account’s use of AWS services and to provide an alert if service error rates increase.
Explanations:
Creating a CloudWatch metric filter to detect API call error codes allows the engineer to set a specific threshold for unauthorized API requests. When the number of detected errors exceeds this threshold, a CloudWatch alarm can trigger and send a notification via Amazon SNS, providing immediate alerts for unauthorized actions.
While streaming CloudTrail logs to Kinesis Data Streams and using a Lambda function can provide real-time processing of API requests, this approach adds complexity without directly addressing the requirement for immediate alerts based on unauthorized API calls. It also does not leverage the built-in capabilities of CloudWatch for monitoring and alerting.
Running an Amazon Athena query against CloudTrail logs to detect unauthorized API requests and using Amazon QuickSight for visualization does not provide immediate alerts. This method involves a manual querying process and is not suited for real-time monitoring or alerting as required by the question.
The AWS Personal Health Dashboard provides insights into service health and alerts for service issues but does not monitor specific unauthorized API requests or provide alerts based on API error codes. It is not designed for tracking API call metrics or generating notifications based on security events.
I think the answer is:
Create a CloudWatch metric filter that looks for API call error codes. Configure an alarm that is based on that metric’s rate to send an Amazon Simple Notification Service (Amazon SNS) notification when the threshold is exceeded.