SAP-C02 Question #256: Real Exam Question with Answer & Explanation

Question

A company is running an application in the AWS Cloud. The company's security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail In the AWS account. Which combination of steps will meet these requirements? (Choose three.)

Options

• ACreate an Amazon EventBridge (Amazon CloudWatch Events) rule.
• BConfigure CloudTrail to send a notification for the CreateUser event to an Amazon Simple
• CInvoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS
• DInvoke an AWS Step Functions state machine to remove access.
• EUse Amazon Simple Notification Service (Amazon SNS) to notify the security team.
• FUse Amazon Pinpoint to notify the security team.

Explanation

To automatically remove access for new IAM users and notify a security team for approval, an EventBridge rule should trigger an AWS Step Functions state machine, which then sends a notification via Amazon SNS.

Common mistakes.

• B. While CloudTrail can send notifications to SNS, EventBridge is the more flexible and recommended service for filtering events and orchestrating complex workflows beyond a simple notification.
• C. While a container could perform the access removal, an AWS Step Functions state machine is a more suitable serverless orchestration service for managing multi-step workflows with state and error handling.
• F. Amazon Pinpoint is primarily for customer engagement campaigns and is less suitable for internal system notifications compared to the simpler and more direct Amazon SNS.

Concept tested. Event-driven automation with CloudTrail, EventBridge, Step Functions, and SNS

Reference. https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html

No community discussion yet for this question.