AWS Certified Security – Specialty (SCS-C02) — Question 34

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account. The company has not monitored account activity in the past.
The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.
Which solution will meet these requirements?

Answer options

• A. In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by resource.
• B. Use AWS Cost Anomaly Detection to create a cost monitor. Access the detection history. Set the time frame to Last 30 days. In the search area, choose the service category.
• C. In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Partition the table by event source.
• D. Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to assess by resource.

Correct answer: C

Explanation

The correct answer is C because AWS CloudTrail provides detailed logs of API calls and changes made to AWS resources, allowing for a precise audit of actions taken by the former employee. Options A and B focus on cost-related data, which does not directly show resource changes, while option D, though useful for compliance monitoring, does not offer the immediate insight into resource changes as CloudTrail does.