Send Email Alert for AWS Console and CLI Logins with Administrator Role

Correct Answer: A.

Option A is CORRECT the event record of Cloudtraiils has the ARN of the role that the user has asked to STS.

When Cloudwatch detects this it will trigger an alarm in SNS.

More details: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html.

Option B Is incorrect the SNS integration with Cloudtrail does not have these parameters to match specific information in the records.

More details: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html#configure-cloudtrail-to-send-notifications.

Option C Is incorrect with this approach SNS will send an alarm of all the events that Cloudtrails log.

Option D Is incorrect we are looking to log only the events with the ARN of the role.

This approach could log more events.

The correct answer is A: Create a new Trail in Cloudtrail and send all the events to a new Cloudwatch Log Group. Create a rule in Cloudwatch that triggers an SNS Alert if the event record of CloudTrail contains the ARN of the AdminRole.

Here's an explanation of the solution:

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It provides a record of actions taken by a user, role, or an AWS service in your account. CloudTrail captures API calls made in the AWS Management Console, AWS CLI, AWS SDKs, and other AWS services.

To implement the solution, follow these steps:

1. Create a new CloudTrail Trail: In the AWS Management Console, go to the CloudTrail service and create a new trail. Select the S3 bucket where the logs will be stored and choose to log all management events.

2. Configure CloudTrail to send events to CloudWatch Logs: Once the trail is created, configure CloudTrail to send events to a new CloudWatch Logs group. This can be done from the CloudTrail service console.

3. Create a CloudWatch Logs subscription filter: Once the CloudTrail logs are streaming to the CloudWatch Logs group, create a new subscription filter for the CloudWatch Logs group. This filter will search for events in the log group that match a specific pattern.

4. Configure SNS to send an email alert: Create a new SNS topic and configure an email subscription. Then, create a CloudWatch rule that triggers an SNS notification when a CloudTrail event matches the pattern specified in the subscription filter. The pattern should match the ARN of the Administrator Role.

With this solution in place, you will receive an email alert every time someone logs into the AWS console or CLI with the Administrator Role. This solution provides a way to monitor and track all actions taken by users with elevated permissions in your AWS account.