Exam AWS Certified Security - Specialty topic 1 question 1 discussion

Use the AWS CloudTrail event history to identify AWS API activity in the last 90 days for your IAM access key. ref- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-for-activity/

A is correct answer.

D is correct to fetch logs older than 3 months and easlity apply filter for specific employee

A is correct.

The interest period is 90 days, then you can simply query logs from AWS Cloudtrail

Use the AWS Cloud Trail console to search for user activity.

I think the answer is A. But everyone who says the answer is A is making a false claim. Because even logs from the past 3 months can be queried with S3 + Athena. I wonder if someone can give me a good explanation.

Within 3 months: CloudTrail querying Beyond 3 months: CloudTrail + S3, query using Athena

A is not an answer for this question because this way is to view activities of existing users. For former employee, Cloudtrail logs should be saved in storage like S3 and can be viewed by using query tools like Athena. Therefore the answer is D, I'm sure.

D. Amazon Athena is a serverless, interactive query service that integrates with S3 and uses standard SQL to analyze data. Athena can be used to query large amounts of CloudTrail data stored in S3, making it an excellent choice for this scenario. Remember the key point that Amazon Athena is used for interactive, ad-hoc querying of data stored in Amazon S3 using standard SQL. It is particularly useful when dealing with large datasets and historical data, such as CloudTrail logs spanning several months.

The Security team can use the AWS CloudTrail console to search for user activity and identify what the former employee may have done within AWS. CloudTrail is a service that records AWS API calls and events for your account and delivers log files to an Amazon S3 bucket that you specify.

A for sure.

The key is without any configuration by DEFAULT By Default only CloudTrail is logged A. Paste the Specific Access Key ID in Search bar for Access Key lookup. Other attributes to search in Cloud Trail Events History -Event ID, Source , Resource Name , Resource Type ,Username Athena on Cloudtrail is also good but little time taking - need to create a Athena table and query it A. Best for unusual activity form baseline - Cloud watch insights. B. Config - Resource configuration changes are logged but Access key is not one C. Athena on S3 - Cloudtrail need to be configured to push logs to S3 , after 90days good idea

A for sure

The answer is A: You can search the behavior of users in the Event History of the CloudTrails console

I think D makes more sense, when you need to query 3 months worth of logs from Cloudtrail

https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html