AWS KMS Service | Monitoring Root User Key Creation | Exam Prep

Monitoring Root User Key Creation in AWS KMS Service

Prev Question Next Question

Question

Your company is making extensive use of the AWS KMS service.

They have defined a number of CMK keys.

They want to be notified of any request that was made with the root user to create a key in the KMS service. How could you achieve this? (SELECT TWO.)

Answers

A. Use a CloudWatch Event rule to detect the AWS root user events in KMS.

B. Use the CloudWatch metrics service to monitor the AWS root user activities in KMS.

C. Use the SNS service to send notifications.

D. Use the SQS service to send notifications.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A and C.

Option A is CORRECT because we can use the CloudWatch event rule to monitor root user activities on the AWS account for the KMS service.

Option B is incorrect because the AWS CloudWatch metric provides a variable to monitor.

The data points represent the values of that variable over time, but it does not provide information on the root user activity.

Option A is CORRECT because we can use the CloudWatch event rule to monitor root user activity on the AWS account and use AWS SNS as a target for sending out notifications for the same.

Option D is incorrect because the AWS SQS provides a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications, but SQS would provide neither monitoring of root user activity nor event notification performed by the root account.

Reference:

https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/

To achieve this, we can use a combination of two solutions:

Use a CloudWatch Event rule to detect the AWS root user events in KMS.
Use the SNS service to send notifications.

Here's how we can implement these solutions:

Use a CloudWatch Event rule to detect the AWS root user events in KMS:

CloudWatch Event Rules allow us to monitor and respond to events in AWS services. We can use a CloudWatch Event rule to detect the creation of CMKs by the root user in KMS. To do this, we need to create an Event rule that will match the event pattern for KMS key creation and the root user. Here are the steps to create an Event rule:

Step 1: Open the CloudWatch console Step 2: Create a new Event rule Step 3: Define the Event pattern

In the Event Pattern section, choose "Build custom event pattern".
In the Event pattern section, choose "Select event source".
Choose "Key Management Service (KMS)" in the dropdown.
Choose the "CreateKey" API action.
Choose "Any user" for the Principal field.
Choose "Root" for the Service field.

Step 4: Define the Target

Choose "SNS Topic" as the Target.
Choose the SNS topic you want to use to send the notification.

Use the SNS service to send notifications:

Amazon SNS is a fully managed pub/sub messaging service that enables you to send messages from one application to another or to a group of subscribers. We can use SNS to send notifications to an email address, an SMS message, or an HTTP endpoint. Here are the steps to create an SNS topic:

Step 1: Open the SNS console Step 2: Create a new SNS Topic Step 3: Define the Topic

Enter a name for the topic.
Choose the "Email" protocol for the subscription.
Enter the email address that you want to use to receive the notifications.

Step 4: Create the Subscription

Verify the email address.
Create the subscription.

Now, whenever the root user creates a new CMK key in KMS, the CloudWatch Event rule will detect the event and send a notification to the SNS topic. The SNS topic will then send an email notification to the specified email address.

Prev Question Next Question