Which solution will meet these requirements?
Install the Amazon Inspector agent on each EC2 instance. Subscribe to Amazon CloudWatch Events notifications. Trigger an AWS Lambda function to check if a message is about user logins. If it is, send a notification to the Security team using Amazon SNS.
Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user logins. If a login is found, send a notification to the Security team using Amazon SNS.
Set up AWS CloudTrail with Amazon CloudWatch Logs. Subscribe CloudWatch Logs to Amazon Kinesis. Attach AWS Lambda to Kinesis to parse and determine if a log contains a user login. If it does, send a notification to the Security team using Amazon SNS.
Set up a script on each Amazon EC2 instance to push all logs to Amazon S3. Set up an S3 event to trigger an AWS Lambda function, which triggers an Amazon Athena query to run. The Athena query checks for logins and sends the output to the Security team using Amazon SNS.
Explanations:
Amazon Inspector focuses on security assessments, vulnerability management, and compliance checks, not on real-time monitoring of login activity. It does not inherently track user logins, so this approach would not reliably meet the requirement for notifying the Security team of logins.
The Amazon CloudWatch agent can be configured to push logs to CloudWatch Logs. A CloudWatch metric filter can then monitor login events, and if detected, Amazon SNS can send a notification. This setup provides the required near-real-time monitoring and notification.
While CloudTrail and CloudWatch Logs can capture login events, adding Kinesis and Lambda for parsing is overly complex. CloudWatch metric filters alone can monitor CloudTrail login events and trigger SNS, so Kinesis adds unnecessary complexity without providing additional benefit.
This solution involves significant delays due to the need to upload logs to S3, trigger Lambda, and perform an Athena query. This multi-step process would be slow and would likely not meet the requirement to notify the Security team within 15 minutes.
From my perspective, the answer is:
Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user logins. If a login is found, send a notification to the Security team using Amazon SNS.
If I had to guess, I’d say the answer is:
Install the Amazon CloudWatch agent on each EC2 instance. Configure the agent to push all logs to Amazon CloudWatch Logs and set up a CloudWatch metric filter that searches for user logins. If a login is found, send a notification to the Security team using Amazon SNS.