Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in selecting the most efficient event-driven architecture to catch specific AWS API activity in near real-time. In production, this is about knowing exactly how to tie EventBridge filtering rules directly to SNS topics without unnecessary compute layers that add latency, cost, or complexity. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
NovaTech Solutions is a fast-growing SaaS startup aiming to deploy all its AWS infrastructure exclusively using AWS CloudFormation for reproducibility and compliance. The dev team wants to receive immediate notifications if any IAM Role is created manually (without using CloudFormation) to ensure full policy enforcement.
A developer sets up an Amazon SNS topic and subscribes the security operations email to it. The goal is to automatically notify the security team immediately anytime an IAM Role is created outside of CloudFormation templates.
The Requirement: #
Design an automated solution that filters events indicating IAM Role creation not initiated by CloudFormation, and promptly publishes a notification to the existing SNS topic.
The Options #
- A) Create an AWS Lambda function to process CloudTrail logs to detect IAM Roles created without CloudFormation. Invoke the Lambda via an EventBridge scheduled rule every 15 minutes. If detected, Lambda publishes to the SNS topic.
- B) Create an AWS Fargate task in ECS to scan CloudTrail events every 15 minutes for IAM Role creations outside CloudFormation, then publish to the SNS topic.
- C) Launch an EC2 instance running a scheduled script (cron job) that scans CloudTrail logs every 15 minutes and publishes matching notifications to the SNS topic.
- D) Create an Amazon EventBridge rule matching IAM Role creation events outside CloudFormation and configure the SNS topic as the direct target for immediate notification.
Google adsense #
leave a comment:
Correct Answer #
D.
Quick Insight: The Developer Imperative #
- For the DVA-C02 exam, the key is to leverage EventBridge’s native event filtering and direct SNS integration to achieve real-time notifications without auxiliary compute layers.
- Polling via Lambda, ECS, or EC2 causes delayed detection and extraneous resource overhead.
- Direct event-to-SNS is simpler, cheaper, and immediate.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
Amazon EventBridge can natively ingest CloudTrail events in near real-time. By creating a fine-grained EventBridge rule that filters for CreateRole events on IAM APIs and excludes those initiated by CloudFormation (by checking the userIdentity.sessionContext.sessionIssuer.userName or eventSource fields), you can route these events directly to an SNS topic. This provides instant, event-driven notifications without needing compute resources or polling.
This approach is performant, cost-effective (no extra compute runtime cost), and reduces maintenance overhead. It also meets the requirement of immediate notification to the security team.
The Trap (Distractor Analysis) #
-
Why not A? Lambda invoked on a schedule means detection is not immediate, adding 15 minutes latency. Plus, maintaining a scanning Lambda is more complex and has runtime cost.
-
Why not B? Running containerized ECS Fargate tasks for periodic scanning is unnecessary overkill, costly, and delays notification.
-
Why not C? Manual EC2 instance management for scanning scripts adds operational risk, higher cost, maintenance burden, and latency.
The Technical Blueprint #
aws events put-rule \
--name DetectIAMRoleCreation \
--event-pattern '{
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventName": ["CreateRole"],
"userIdentity": {
"sessionContext": {
"sessionIssuer": {
"userName": [{
"anything-but": "CloudFormation"
}]
}
}
}
}
}'
aws events put-targets \
--rule DetectIAMRoleCreation \
--targets "Id"="1","Arn"="arn:aws:sns:region:account-id:MySecurityTopic"
This direct integration uses EventBridge event patterns to filter out IAM Roles created except by CloudFormation, forwarding matched events immediately to the SNS topic.
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Medium (Lambda code) | 15 min delay | Scheduled batch scanning |
| B | High (ECS + Fargate) | 15 min delay | Heavy container orchestration |
| C | High (EC2+cron) | 15 min delay | Legacy/manual scanning custodianship |
| D | Low (EventBridge) | Near real-time | Direct event-driven notifications with minimal overhead |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick EventBridge rules with direct SNS targets when you need real-time AWS API event notifications.
Real World #
In production, we avoid any polling or batch scanning for security-critical events due to latency. Setting up streaming event filters on EventBridge is the most efficient way to detect and react instantly to policy violations or resource changes.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the DVA-C02 exam.