A company wants to ensure that all IAM user changes are logged and that an alert is sent when a new IAM user is created. Which services should be used together to achieve this? (Select THREE.)
CloudTrail logs can be streamed to CloudWatch Logs.
Why this answer
Amazon CloudWatch Logs is correct because it can receive and store log events from AWS CloudTrail, which records all IAM user changes including user creation. By sending CloudTrail logs to CloudWatch Logs, you can then create metric filters to detect specific API calls like 'CreateUser' and trigger CloudWatch Alarms to send notifications via SNS.
Exam trap
The trap here is that candidates often select AWS Config thinking it monitors API activity, but Config is designed for compliance and configuration auditing, not for real-time event logging and alerting on specific API calls.
How to eliminate wrong answers
Option B is wrong because AWS Config is a service for evaluating resource configurations against desired policies (e.g., checking if IAM users have MFA enabled), not for logging real-time API events or triggering alerts on user creation. Option D is wrong because Amazon S3 is an object storage service that can store CloudTrail logs but cannot natively filter logs or trigger alarms based on specific API events; it lacks the real-time monitoring and alerting capabilities needed for this use case.