AWS Certified Solutions Architect – Associate (SAA-C02) — Question 580

A company wants to analyze and troubleshoot Access Denied errors and Unauthorized errors that are related to IAM permissions. The company has AWS
CloudTrail turned on.
Which solution will meet these requirements with the LEAST effort?

Answer options

• A. Use AWS Glue and write custom scripts to query CloudTrail logs for the errors.
• B. Use AWS Batch and write custom scripts to query CloudTrail logs for the errors.
• C. Search CloudTrail logs with Amazon Athena queries to identify the errors.
• D. Search CloudTrail logs with Amazon QuickSight. Create a dashboard to identify the errors.

Correct answer: C

Explanation

Amazon Athena allows users to query CloudTrail logs stored in Amazon S3 directly using standard SQL, providing the simplest and fastest way to troubleshoot permission errors with minimal setup. In contrast, using AWS Glue or AWS Batch requires writing and maintaining custom scripts, which significantly increases operational overhead. Amazon QuickSight is a business intelligence tool designed for visualization rather than quick, ad-hoc log querying for troubleshooting, making it less efficient for this specific task.