CloudWatch Events Rule Setup for EC2 Termination Event - DOP-C01
Question
Your DevOps team manages dozens of AWS accounts.
Some of them belong to certain AWS Organizations and some do not.
There is a new requirement to set up a CloudWatch rule in the master account whenever there is a new event of EC2 termination for any of the other accounts.
You plan to set up a CloudWatch Events rule in each account and get the event sent to the default Event bus in the master account.
Which condition is NOT mandatory for this solution to work?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
CloudWatch Event bus is a service to help send/receive CloudWatch events to/from other AWS accounts:
One thing to note is that the question asks for the option which is NOT a must.
Option A is incorrect: Because permission from the master account is required to receive events.
Option B is CORRECT: Because there is no need for all accounts to belong to AWS Organizations.
When adding permissions in the Event bus, the user can choose AWS Account or Organization:
Option C is incorrect: The sender needs a suitable IAM role for CloudWatch Events rule to send the event.
Option D is incorrect: Because this is required to send the event to the default Event bus in another account.
The solution proposed is to set up a CloudWatch Events rule in each AWS account, which sends the event of EC2 termination to the default Event bus in the master account. The solution assumes that the sender account has a proper IAM role to send events to the Event bus in the master account. The solution also assumes that the CloudWatch events are permitted to be received from other accounts in the master account.
Now, let's examine the options provided in the question:
Option A: Master account should permit the CloudWatch events to be received from other accounts.
This option is correct. For the solution to work, the master account must be configured to allow the CloudWatch events to be received from other AWS accounts. This can be done by setting up a cross-account IAM role in the master account and granting the required permissions to the role.
Option B: All accounts should belong to certain AWS Organization.
This option is incorrect. While it is beneficial to have all AWS accounts belong to a certain AWS Organization, it is not mandatory for the proposed solution to work. The solution only requires that the CloudWatch Events rule is set up in each AWS account, and the event is sent to the default Event bus in the master account.
Option C: A proper IAM role is needed for the sender account to send events to the Event bus in the master account.
This option is correct. For the solution to work, the sender account must have a proper IAM role that allows it to send events to the Event bus in the master account. The IAM role must have the necessary permissions to publish events to the Event bus in the master account.
Option D: In CloudWatch Events, in order to send the event to the master account, the target should be configured as “Event bus in another AWS account”.
This option is correct. To send the event to the master account, the target in the CloudWatch Events rule must be configured as “Event bus in another AWS account”. This will ensure that the event is sent to the default Event bus in the master account.
In conclusion, options A, C, and D are mandatory for the proposed solution to work, while option B is not mandatory.