AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company operates 15 AWS accounts in a single AWS organization. The security team maintains a dedicated Security account and wants a near-real-time notification whenever a high-severity security event (such as an IAM policy change, an AWS Config compliance failure, or a critical Amazon GuardDuty finding) occurs in any account. The notifications must be delivered to the Security account, analysts must be able to review historical findings for at least 90 days, and ongoing maintenance in member accounts must be minimized. Which solution should a solutions architect implement to meet these requirements?
Create an individual CloudTrail trail in every account that writes logs to a centralized Amazon S3 bucket in the Security account; configure Amazon S3 event notifications to invoke a Lambda function that scans new log files for high-severity events and sends notifications through Amazon SNS.
Designate the Security account as the delegated administrator for AWS Security Hub, enable Security Hub (and its GuardDuty integration) across the organization, and create an Amazon EventBridge rule in the Security account that filters for HIGH and CRITICAL findings and publishes them to an Amazon SNS topic subscribed by the security team.
Enable an AWS Config organization aggregator in the Security account, enable all AWS Config rules and Amazon GuardDuty in every account, and configure AWS Config to stream compliance change notifications to an Amazon SNS topic in the Security account.
Configure an AWS Organizations CloudTrail organization trail that delivers management events to Amazon CloudWatch Logs in every account; in each account create a subscription filter that streams the log data to a Kinesis Data Firehose delivery stream in the Security account, where an AWS Lambda function parses the stream and publishes high-severity events to Amazon SNS.
AWS Security Hub is purpose-built to aggregate security findings from multiple AWS services (including GuardDuty, AWS Config, and IAM Access Analyzer) and from multiple accounts when a delegated administrator is configured through AWS Organizations. Security Hub automatically retains active findings for 90 days and publishes every new or updated finding to Amazon EventBridge almost immediately. By designating the Security account as the delegated administrator, enabling Security Hub across the organization, and creating a single EventBridge rule in the Security account that filters for HIGH and CRITICAL findings and forwards them to an SNS topic, the security team receives centralized, near-real-time alerts with no per-account custom code or log plumbing.
The other options either rely on per-account CloudTrail trails, CloudWatch Logs subscription filters, or S3 event processing-approaches that are slower, require significant cross-account log streaming and Lambda code, and do not provide the 90-day finding history that Security Hub offers. Using an AWS Config aggregator alone also fails to deliver real-time notifications for IAM changes and relies on rule evaluations rather than continuous finding streams.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What role does AWS Security Hub play in this solution?
Open an interactive chat with Bash
How does Amazon EventBridge integrate with Security Hub for notifications?
Open an interactive chat with Bash
Why is this approach preferred over others like CloudTrail or AWS Config alone?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access