Your security Chief Officer has asked you to implement a solution to send an email alert every time someone logged in the AWS console or AWS Cli with the Administrator Role. How could you implement this?

Answer options:

A.Create a new Trail in Cloudtrail and send all the events to a new Cloudwatch Log Group. Create a rule in Cloudwatch that triggers an SNS Alert if the event record of CloudTrail contains the ARN of the AdminRole.
B.Create a Cloudtrail trigger to send an SNS alert if the event record of CloudTrail contains the ARN of the AdminRole.
C.Create a new trail and configure SNS notifications when new logs of Cloudtrail are published.
D.Create a new Trail in Cloudtrail and send all the events to a new Cloudwatch Log Group. Create a rule in Cloudwatch that triggers an SNS Alert if the event record of CloudTrail contains the word “Admin”.

Correct Answer: A
Option A is CORRECT the event record of Cloudtraiils has the ARN of the role that the user has asked to STS. When Cloudwatch detects this it will trigger an alarm in SNS. More details: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
Option B Is incorrect the SNS integration with Cloudtrail does not have these parameters to match specific information in the records. More details: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html#configure-cloudtrail-to-send-notifications
Option C Is incorrect with this approach SNS will send an alarm of all the events that Cloudtrails log.
Option D Is incorrect we are looking to log only the events with the ARN of the role. This approach could log more events.