A security auditor needs to know which IAM user deleted a specific S3 bucket last week, from which IP address the action was taken, and at what exact time. Which AWS service captures this information?
Trap 1: Amazon CloudWatch
CloudWatch collects metrics and logs from AWS services and applications. While it can capture application logs, it does not specifically record who made AWS API calls like deleting an S3 bucket.
Trap 2: AWS Config
AWS Config records the configuration state of AWS resources over time and can show that the bucket no longer exists, but it does not capture the API event details (caller identity, IP, timestamp) the way CloudTrail does.
Trap 3: Amazon GuardDuty
GuardDuty is a threat detection service that analyses CloudTrail logs among other sources to find suspicious activity. It uses CloudTrail data but is not the source of API audit records.
- A
Amazon CloudWatch
Why wrong: CloudWatch collects metrics and logs from AWS services and applications. While it can capture application logs, it does not specifically record who made AWS API calls like deleting an S3 bucket.
- B
AWS Config
Why wrong: AWS Config records the configuration state of AWS resources over time and can show that the bucket no longer exists, but it does not capture the API event details (caller identity, IP, timestamp) the way CloudTrail does.
- C
AWS CloudTrail
CloudTrail logs every API call to AWS services, capturing the IAM identity, source IP, timestamp, and operation details. Searching CloudTrail for DeleteBucket events would show exactly who deleted the S3 bucket, when, and from which IP.
- D
Amazon GuardDuty
Why wrong: GuardDuty is a threat detection service that analyses CloudTrail logs among other sources to find suspicious activity. It uses CloudTrail data but is not the source of API audit records.