AWS Certified Solutions Architect – Associate (SAA-C03) — Question 526

A company wants to analyze and troubleshoot Access Denied errors and Unauthorized errors that are related to IAM permissions. The company has AWS CloudTrail turned on.

Which solution will meet these requirements with the LEAST effort?

Answer options

• A. Use AWS Glue and write custom scripts to query CloudTrail logs for the errors.
• B. Use AWS Batch and write custom scripts to query CloudTrail logs for the errors.
• C. Search CloudTrail logs with Amazon Athena queries to identify the errors.
• D. Search CloudTrail logs with Amazon QuickSight. Create a dashboard to identify the errors.

Correct answer: C

Explanation

Amazon Athena is a serverless query service that allows users to analyze data in Amazon S3 using standard SQL, making it the easiest way to query CloudTrail logs with minimal configuration. Using AWS Glue or AWS Batch requires writing and maintaining custom scripts, which increases operational overhead. Amazon QuickSight is a visualization tool and is over-engineered for simply identifying and troubleshooting specific permission errors.