AWS Certified Security – Specialty — Question 120

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed keys to determine the extent of the exposure. The company enabled AWS CloudTrail in all regions when it opened the account.
Which of the following will allow the Security Engineer to complete the task?

Answer options

• A. Filter the event history on the exposed access key in the CloudTrail console. Examine the data from the past 11 days.
• B. Use the AWS CLI to generate an IAM credential report. Extract all the data from the past 11 days.
• C. Use Amazon Athena to query the CloudTrail logs from Amazon S3. Retrieve the rows for the exposed access key for the past 11 days.
• D. Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

Correct answer: A

Explanation

Option A is correct because filtering the event history in the CloudTrail console will allow the Security Engineer to directly access the relevant logs associated with the exposed access key over the last 11 days. Options B and C do not specifically focus on the event history related to the exposed key, and Option D does not provide detailed activity logs for the past 11 days, making them less effective for this task.