A company's Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team's AWS account for monitoring. How can this be accomplished?
A) Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team.
B) Create an event bus in the Security team's account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team's event bus as the target.
C) Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.
D) Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.
Correct Answer:
Verified
Q340: A company is deploying a legacy web
Q341: A SysOps Administrator must use a bastion
Q342: A database is running on an Amazon
Q343: After a network change, application servers cannot
Q344: A company is running a popular social
Q346: A company wants to ensure that each
Q347: An Application performs read-heavy operations on an
Q348: Company A purchases Company B and inherits
Q349: A SysOps Administrator has configured health checks
Q350: A SysOps Administrator attempting to delete an
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents