The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done within AWS?
To determine what the former employee may have done within AWS, the most direct approach would be to use the AWS CloudTrail console to search for user activity. AWS CloudTrail records AWS API calls and events for your account and provides visibility into user activities. With CloudTrail, you can look up API call history for the past 90 days without any prior setup, enabling you to quickly identify the actions taken by specific users or access keys. This makes it the most efficient tool for investigating recent user activity within AWS.
Use the AWS CloudTrail event history to identify AWS API activity in the last 90 days for your IAM access key. ref- https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-for-activity/
Answer is A. 1st question in CloudTrail FAQ, in Getting Started section. "Q: If I am a new AWS customer or existing AWS customer and don’t have CloudTrail setup, do I need to enable or setup anything to view my account activity? A: No, nothing is required to begin viewing your account activity. You can visit the AWS CloudTrail console or AWS CLI and begin viewing up to the past 90 days of account activity."
Within 3 months: CloudTrail querying Beyond 3 months: CloudTrail + S3, query using Athena
The key is without any configuration by DEFAULT By Default only CloudTrail is logged A. Paste the Specific Access Key ID in Search bar for Access Key lookup. Other attributes to search in Cloud Trail Events History -Event ID, Source , Resource Name , Resource Type ,Username Athena on Cloudtrail is also good but little time taking - need to create a Athena table and query it A. Best for unusual activity form baseline - Cloud watch insights. B. Config - Resource configuration changes are logged but Access key is not one C. Athena on S3 - Cloudtrail need to be configured to push logs to S3 , after 90days good idea
The Security team can use the AWS CloudTrail console to search for user activity and identify what the former employee may have done within AWS. CloudTrail is a service that records AWS API calls and events for your account and delivers log files to an Amazon S3 bucket that you specify.
https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
D is Valid ( DDDDD )
A is correct.
The interest period is 90 days, then you can simply query logs from AWS Cloudtrail
Use the AWS Cloud Trail console to search for user activity.
I think the answer is A. But everyone who says the answer is A is making a false claim. Because even logs from the past 3 months can be queried with S3 + Athena. I wonder if someone can give me a good explanation.
A is not an answer for this question because this way is to view activities of existing users. For former employee, Cloudtrail logs should be saved in storage like S3 and can be viewed by using query tools like Athena. Therefore the answer is D, I'm sure.
D. Amazon Athena is a serverless, interactive query service that integrates with S3 and uses standard SQL to analyze data. Athena can be used to query large amounts of CloudTrail data stored in S3, making it an excellent choice for this scenario. Remember the key point that Amazon Athena is used for interactive, ad-hoc querying of data stored in Amazon S3 using standard SQL. It is particularly useful when dealing with large datasets and historical data, such as CloudTrail logs spanning several months.
A for sure.
A for sure
The answer is A: You can search the behavior of users in the Event History of the CloudTrails console
I think D makes more sense, when you need to query 3 months worth of logs from Cloudtrail