AWS Certified SysOps Administrator – Associate (legacy) — Question 776

You need to determine what encryption operations were taken with which key in AWS KMS to ei-ther encrypt or decrypt data in the AWS CodeCommit repository.
Which of the following actions will best help you accomplish this?

Answer options

• A. Searching for the AWS CodeCommit repository ID in AWS CloudTrail logs
• B. Searching for the encryption key ID in AWS CloudTrail logs
• C. Searching for the AWS CodeCommit repository ID in AWS CloudWatch
• D. Searching for the encryption key ID in AWS CloudWatch

Correct answer: A

Explanation

AWS CloudTrail records API activity for AWS services, and when AWS CodeCommit performs KMS operations, it uses the repository ID as the encryption context. Searching CloudTrail logs for the repository ID will pinpoint the exact encryption and decryption events. CloudWatch is designed for monitoring and metrics rather than detailed API auditing, and searching by the KMS key ID would not isolate repository-specific events as easily.