Exam AWS Certified Security - Specialty topic 1 question 1 discussion

Use the AWS CloudTrail event history to identify AWS API activity in the last 90 days for your IAM access key. ref- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-for-activity/

Answer is A. 1st question in CloudTrail FAQ, in Getting Started section. "Q: If I am a new AWS customer or existing AWS customer and don’t have CloudTrail setup, do I need to enable or setup anything to view my account activity? A: No, nothing is required to begin viewing your account activity. You can visit the AWS CloudTrail console or AWS CLI and begin viewing up to the past 90 days of account activity."

Cloud trail and Athena will help investigate activities over a long period (past 3 months) because Athena can run SQL queries directly over CloudTrail logs stored in S3

When investigating historical activity by an access key over a long period (e.g., 3 months), and especially when looking for specific user actions, the best approach is to: Ensure CloudTrail logs are stored in Amazon S3 Use Amazon Athena to run SQL-like queries on the logs for deep analysis This is: Scalable for large volumes of logs Fast for filtering by access key ID, event source, event name, etc. Cost-effective and fully serverless

D is correct but what if we haven't created a trail to deliver CloudTrail log to S3 ? So A is acceptable because CloudTrail allows us to search for events for the past 90 days.

D is correct to fetch logs older than 3 months and easlity apply filter for specific employee

A is correct.

The interest period is 90 days, then you can simply query logs from AWS Cloudtrail

Use the AWS Cloud Trail console to search for user activity.

I think the answer is A. But everyone who says the answer is A is making a false claim. Because even logs from the past 3 months can be queried with S3 + Athena. I wonder if someone can give me a good explanation.

Within 3 months: CloudTrail querying Beyond 3 months: CloudTrail + S3, query using Athena

A is not an answer for this question because this way is to view activities of existing users. For former employee, Cloudtrail logs should be saved in storage like S3 and can be viewed by using query tools like Athena. Therefore the answer is D, I'm sure.

D. Amazon Athena is a serverless, interactive query service that integrates with S3 and uses standard SQL to analyze data. Athena can be used to query large amounts of CloudTrail data stored in S3, making it an excellent choice for this scenario. Remember the key point that Amazon Athena is used for interactive, ad-hoc querying of data stored in Amazon S3 using standard SQL. It is particularly useful when dealing with large datasets and historical data, such as CloudTrail logs spanning several months.

The Security team can use the AWS CloudTrail console to search for user activity and identify what the former employee may have done within AWS. CloudTrail is a service that records AWS API calls and events for your account and delivers log files to an Amazon S3 bucket that you specify.

A for sure.

The key is without any configuration by DEFAULT By Default only CloudTrail is logged A. Paste the Specific Access Key ID in Search bar for Access Key lookup. Other attributes to search in Cloud Trail Events History -Event ID, Source , Resource Name , Resource Type ,Username Athena on Cloudtrail is also good but little time taking - need to create a Athena table and query it A. Best for unusual activity form baseline - Cloud watch insights. B. Config - Resource configuration changes are logged but Access key is not one C. Athena on S3 - Cloudtrail need to be configured to push logs to S3 , after 90days good idea

A for sure