{"id":664,"date":"2021-01-08T06:40:26","date_gmt":"2021-01-08T06:40:26","guid":{"rendered":"https:\/\/exampracticetests.com\/aws\/SysOps_Administrator_SOA-C01\/aws-certified-sysops-administrator-soa-c01-question657\/"},"modified":"2021-01-08T06:40:26","modified_gmt":"2021-01-08T06:40:26","slug":"aws-certified-sysops-administrator-soa-c01-question657","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/aws\/SysOps_Administrator_SOA-C01\/aws-certified-sysops-administrator-soa-c01-question657\/","title":{"rendered":"AWS Certified SysOps Administrator SOA-C01 – Question657"},"content":{"rendered":"
A company\u2019s Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team\u2019s AWS account for monitoring.
\nHow can this be accomplished?

A.<\/strong> Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team.
B.<\/strong> Create an event bus in the Security team\u2019s account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team\u2019s event bus as the target.
C.<\/strong> Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.
D.<\/strong> Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.<\/div>\n

<\/p>\n