You are in charge of the maintenance of AWS resources. CloudTrail has been enabled in your AWS Organization, and events have been delivered to a CloudWatch Log group. You want to use the CloudTrail logs to monitor the configuration changes of EC2 security groups, and any security group change events should trigger a CloudWatch alarm. How would you configure this most easily?

Answer options:

A.Create a Lambda function that fetches the CloudTrail logs from the CloudWatch Logs group, filters the security group events and triggers a CloudWatch alarm.
B.In the CloudTrail console, select the CloudWatch Log group, filter the security group events and create a CloudWatch alarm.
C.In the CloudWatch Log group, create a metric filter that defines the security group change events. Create a CloudWatch alarm with the metric filter.
D.In the CloudWatch Log console, create an Athena table for the CloudTrail logs. In Athena, configure a filter for the security group change events and trigger a CloudWatch alarm.

Correct Answer: C
Option A is incorrect because this option needs to configure a new Lambda function and trigger it periodically. It is not the easiest option.
Option B is incorrect because, in the CloudTrail console, you cannot directly select the CloudWatch Log group and configure the CloudWatch alarm.
Option C is CORRECT because users can easily configure a metric filter with the filter pattern for the security group configuration changes and configure a CloudWatch alarm afterward.
Option D is incorrect because Amazon Athena should work with S3 for users to query data through standard SQL. Athena doesn’t perform such filter configuration.
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-security-group