Logo
AWS Certified Solutions Architect - Associate / Question #1812 of 1019

Question #1812

A company uses AWS KMS to manage encryption keys for their cloud infrastructure. They need to ensure KMS keys cannot be accidentally deleted and require email notifications via Amazon SNS whenever a deletion attempt is detected. The solution must minimize operational complexity.

Which approach meets these requirements?

A

Create an Amazon EventBridge rule to detect KMS DeleteKey events. Configure an AWS Config remediation rule to block key deletion. Link the EventBridge rule to the AWS Config remediation. Create an SNS topic to notify administrators when a deletion attempt occurs.
B

Develop an AWS Lambda function to intercept and block KMS key deletion requests. Configure an Amazon EventBridge rule to trigger the Lambda function on DeleteKey events. Set up an SNS topic to send notifications to administrators when the Lambda function is invoked.
C

Create an Amazon EventBridge rule to detect KMS DeleteKey events. Configure the rule to trigger an AWS Systems Manager Automation runbook that cancels the deletion. Link the EventBridge rule to an SNS topic to notify administrators of the attempt.
D

Enable AWS CloudTrail logging for KMS API activity. Create a CloudWatch metric filter to detect DeleteKey events in the logs. Configure a CloudWatch alarm linked to an SNS topic to alert administrators when a deletion attempt is logged.

Explanation

Option C meets the requirements by:
1. Using Amazon EventBridge to detect KMS DeleteKey events.
2. Triggering a Systems Manager Automation runbook to cancel the deletion via the CancelKeyDeletion API, ensuring keys are not deleted.
3. Linking EventBridge to an SNS topic for email notifications.

Other options fail because:
- A: AWS Config remediation cannot directly block KMS key deletions.
- B: Lambda cannot intercept API calls in real-time to block deletions.
- D: CloudWatch alerts only notify but do not block deletions.

Key Points:
- KMS deletions have a waiting period, allowing cancellation via API.
- Systems Manager Automation provides a managed solution to cancel deletions without custom code.
- EventBridge and SNS enable event-driven workflows with minimal complexity.

Answer

The correct answer is: C