AWS Certified Security – Specialty — Question 415

A security team has received an alert from Amazon GuardDuty that AWS CloudTrail logging has been disabled. The security team’s account has AWS Config, Amazon Inspector, Amazon Detective, and AWS Security Hub enabled. The security team wants to identify who disabled CloudTrail and what actions were performed while CloudTrail was disabled.

What should the security team do to obtain this information?

Answer options

• A. Use AWS Config to search for the CLOUD_TRAIL_ENABLED event. Use the configuration recorder to find all activity that occurred when CloudTrail was disabled.
• B. Use Amazon Inspector to find the details of the CloudTrailLoggingDisabled event from GuardDuly, including the user name and all activity that occurred when CloudTrail was disabled.
• C. Use Detective to find the details of the CloudTrailLoggingDisabled event from GuardDuty, including the user name and all activity that occurred when CloudTrail was disabled.
• D. Use GuardDuty to find which user generated the CloudTrailLoggingDisabled event. Use Security Hub to find the trace of activity related to the event.

Correct answer: C

Explanation

Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster security investigations, making it the ideal tool to trace the CloudTrailLoggingDisabled GuardDuty finding back to the responsible user and their associated activities. AWS Config tracks resource configuration changes rather than user API activities, while Amazon Inspector is designed for vulnerability scanning and AWS Security Hub aggregates findings rather than performing deep relationship-graph investigations.