Logo
AWS Certified Developer – Associate / Question #865 of 557

Question #865

A company mandates that all cloud resources must be deployed using AWS CloudFormation templates. A developer is tasked with implementing an Amazon Simple Notification Service (Amazon SNS) alert to enforce this policy. The developer sets up an SNS topic and subscribes the security team's email address to it. The security team requires immediate notification if an Amazon S3 bucket is created without using CloudFormation. Which solution fulfills this requirement?

A

Create an AWS Lambda function to analyze CloudTrail logs for S3 bucket creation events not initiated by CloudFormation. Configure the Lambda function to send alerts to the SNS topic. Set up an Amazon EventBridge scheduled rule to trigger the Lambda function every 15 minutes.
B

Deploy an AWS Fargate task in Amazon Elastic Container Service (Amazon ECS) to monitor CloudTrail for S3 bucket creation events unrelated to CloudFormation. Configure the task to publish alerts to the SNS topic. Use an Amazon EventBridge schedule to run the Fargate task every 15 minutes.
C

Provision an Amazon EC2 instance with a custom script that scans CloudTrail logs for S3 bucket creations not managed by CloudFormation. Configure the script to send notifications to the SNS topic. Implement a cron job on the EC2 instance to execute the script every 15 minutes.
D

Create an Amazon EventBridge rule to detect CloudTrail events where an S3 bucket is created without CloudFormation. Configure the SNS topic as the target for the EventBridge rule to enable real-time notifications.

Explanation

Answer D is correct because:
1. Real-Time Detection: Amazon EventBridge rules can directly monitor AWS CloudTrail events, such as S3 bucket creation, in real-time. This eliminates delays caused by periodic checks (e.g., every 15 minutes in options A, B, and C).
2. Filtering CloudFormation Activity: CloudFormation API calls include a unique user agent. The EventBridge rule can filter out S3 bucket creation events where the user agent does not match CloudFormation, ensuring only non-compliant resource creations trigger alerts.
3. Direct Integration: EventBridge can directly target the SNS topic, simplifying the architecture and reducing latency.

Why other options are incorrect:
- A, B, C: These rely on scheduled checks (every 15 minutes), which introduce delays and fail to meet the requirement for immediate alerts.
- A, C: Lambda/EC2-based solutions add unnecessary complexity by requiring custom code to parse CloudTrail logs.
- B: Fargate tasks are overkill for this use case and incur higher operational overhead.

Key Points:
- Use EventBridge for real-time event-driven monitoring of CloudTrail.
- CloudFormation API calls include identifiable metadata (e.g., user agent).
- Avoid periodic checks when immediate notifications are required.

Answer

The correct answer is: D