AWS Certified SysOps Administrator – Associate — Question 431

A SysOps administrator must manage the security of an AWS account. Recently, an IAM user's access key was mistakenly uploaded to a public code repository.
The SysOps administrator must identify anything that was changed by using this access key.
How should the SysOps administrator meet these requirements?

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all IAM events to an AWS Lambda function for analysis.
• B. Query Amazon EC2 logs by using Amazon CloudWatch Logs Insights for all events initiated with the compromised access key within the suspected timeframe.
• C. Search AWS CloudTrail event history for all events initiated with the compromised access key within the suspected timeframe.
• D. Search VPC Flow Logs for all events initiated with the compromised access key within the suspected timeframe.

Correct answer: C

Explanation

AWS CloudTrail records all API calls made within an AWS account, including the specific IAM access key used to make those calls. By searching the CloudTrail event history, the administrator can filter by the compromised access key ID to identify every action taken during the incident timeframe. Other options like VPC Flow Logs or EC2 logs do not capture account-wide AWS API activity, and EventBridge is used for real-time event routing rather than historical auditing.