You have a high security requirement for your AWS accounts. What is the most rapid and sophisticated setup you can
use to react to AWS API calls to your account?
A.
Subscription to AWS Config via an SNS Topic. Use a Lambda Function to perform in-flight analysis and reactivity to changes as they
occur.
B.
Global AWS CloudTrail setup delivering to S3 with an SNS subscription to the deliver notifications, pushing into a Lambda, which
inserts records into an ELK stack for analysis.
C.
Use a CloudWatch Rule ScheduleExpression to periodically analyze IAM credential logs. Push the deltas for events into an ELK stack
and perform ad-hoc analysis there.
D.
CloudWatch Events Rules which trigger based on all AWS API calls, submitting all events to an AWS Kinesis Stream for arbitrary
downstream analysis.
Explanation:
CloudWatch Events allow subscription to AWS API calls, and direction of these events into Kinesis Streams. This allows
a unified, near real-time stream for all API calls, which can be analyzed with any tool(s) of your choosing downstream.
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/EventTypes.html#api_event_type
B.
D doesnt make sense..
D does make sense, but I think B is a better choice.
CloudWatch Event can be triggered by CloudTrail Event, even if CloudWatch Event is a real-time system, but it’s still rely on CloudTrail. Also Kinesis is not completed analysis system, it’s just a message processor, with option B ELK is a completed analysis system.
https://www.linkedin.com/pulse/stream-visualize-aws-cloudtrail-logs-real-time-using-lambda-rahul/
I believe that the question itself does not define its context well so that either B or D would be the best choice, while data in Kinesis is only valid for 24 hours or 7 days but in S3, it could live forever long.
Answer D.