The correct choice is Use Amazon EventBridge with an AWS API call via CloudTrail event pattern that filters sts:AssumeRole on the AdminElevate role and invoke AWS Lambda to send a message to an Amazon SNS topic. This approach delivers near real time alerts and preserves the CloudTrail audit record for every assume role call.

EventBridge can match CloudTrail management events by using an event pattern for the sts:AssumeRole API and the specific role ARN. When the pattern matches, EventBridge can invoke a Lambda function or deliver to an SNS topic so the security team receives immediate notifications and CloudTrail retains the full event for investigation. This gives deterministic alerts for each assume role call instead of relying on anomaly detection.

Enable AWS CloudTrail Insights and route findings through Amazon EventBridge to an Amazon SNS topic is unsuitable because Insights identifies anomalous or unusual activity rather than emitting an event for every sts:AssumeRole call on a single named role. Insights cannot guarantee a deterministic audit and alert for each role assumption.

Turn on Amazon GuardDuty to detect unusual use of the admin role and send a notification to AWS CloudTrail is incorrect because GuardDuty generates findings for suspicious behavior and it will not reliably fire for every named role assumption. GuardDuty findings are not sent to CloudTrail and CloudTrail is not a notification target.

Create an Amazon EventBridge rule that matches AWS Management Console sign-in events and trigger an AWS Lambda function to publish to Amazon SNS when the admin role is used will not reliably capture role assumption events because console sign in records are separate from STS assume role API calls. You must match the sts:AssumeRole API to capture the AdminElevate role being assumed.

Full AWS Practitioner Certification Question