Capture CloudFormation API Calls with CloudWatch Event Rule
Question
A DevOps engineer has created the below AWS CloudWatch Event rule to capture the CloudFormation API call:
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
When a CloudWatch Event rule is created, the event type can be selected as "AWS API Call via CloudTrail"
For its details, check the documentation in.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-CloudTrail-Rule.html.Option A is incorrect: Because the CloudTrail API call is a valid event type in the CloudWatch Events rule.
Option B is incorrect: Because stack update is also captured and reflected in CloudTrail.
Option C is incorrect: The "detail-type" should be "AWS API Call via CloudTrail":
Option D is CORRECT: Because "AWS API Call via CloudTrail" in CloudWatch Events Rule relies on the functions provided by CloudTrail.
So, CloudTrail should be turned on first; otherwise, the Events Rule cannot be triggered.
![© AWS CodesStar Project Checkout
AWS CodeStar Project Selection
Select the AWS CodeStar project you want to checkout from the remote host.
Select AWS account and region:
Selec Account Confau AWS account
Selec Resin:
Select AWS CodeStar project and repository:
Project Name ProjectID Project Description
| My First Project. my-first-projec ‘AWS CodeStar created project |
Select epostone [my fistprojee 5]
CComfigure Git credentials
You can manually copy and paste Git credentials for AWS CodeCommit below. Alternately, you
‘can import them from a downloaded .csv file. To learn how to generate Git credentials, see Create
Git Credentials for HTTPS Connections to AWS CodeCommit,
User name:
Password:
[show password
® Beck Finish](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/AWS-Certified-DevOps-Engineer-Professional/answer/imgckeditor_3.png)
The DevOps engineer has created an AWS CloudWatch Event rule to capture the CloudFormation API call. However, there seems to be some issue with the rule and it is not working as expected. Let's go through the provided options to identify the issue and the possible solutions.
Option A states that AWS API Call via CloudTrail cannot be used in a CloudWatch Event rule. This is not correct. CloudTrail is an AWS service that provides a record of actions taken by a user, role, or an AWS service in an AWS account. CloudTrail logs can be used in CloudWatch Event rules to trigger notifications based on specific events or patterns. Therefore, option A is incorrect.
Option B suggests that CloudTrail can only trace the add and delete for a CloudFormation stack, and no API call is recorded for the stack update, so no notification was received. This is also not correct. CloudTrail can record all API calls made to CloudFormation, including stack updates. Therefore, option B is incorrect.
Option C provides a possible solution to the issue. The rule should be changed as follows:
json{ "source": [ "aws.cloudtrail" ], "detail": { "eventSource": [ "cloudformation.amazonaws.com" ] } } This rule will trigger a notification whenever a CloudFormation API call is recorded in CloudTrail. Therefore, option C is a possible correct answer.
Option D suggests that the CloudTrail logging might be turned off in the region, and that's why no AWS API action events can be received. This could be a possible issue, but it is not the most likely cause of the problem based on the information provided in the question. However, it is always a good practice to ensure that CloudTrail logging is turned on in all regions to maintain visibility into AWS API calls. Therefore, option D is a correct answer but not the most likely cause of the problem in the given scenario.
In conclusion, option C is the most likely correct answer as it provides a possible solution to the issue. However, option D is also correct but not the most likely cause of the problem.
