AWS Certified SysOps Administrator – Associate (legacy) — Question 553

A company uses federation to authenticate users and grant AWS permissions. The SysOps Administrator has been asked to determine who made a request to
AWS Organizations for a new AWS account.
What should the Administrator review to determine who made the request?

Answer options

• A. AWS CloudTrail for the federated identity user name
• B. AWS IAM Access Advisor for the federated user name
• C. AWS Organizations access log for the federated identity user name
• D. Federated identity provider logs for the user name

Correct answer: D

Explanation

When federated users access AWS, CloudTrail records the API call under an assumed role, which may not directly expose the real-world identity of the user. To map the AWS session back to the actual individual who initiated the request, the Administrator must check the logs of the external federated identity provider (IdP) where the initial authentication took place. Other tools like IAM Access Advisor or Organizations logs do not capture the external identity mapping details required for this correlation.