A company uses AWS Key Management Service (KMS) to encrypt data at rest. The security team needs to know who attempted to decrypt data using a specific KMS key and whether the attempt succeeded. Which AWS service should the team use?
CloudTrail logs all KMS API calls.
Why this answer
AWS CloudTrail is the correct service because it records all KMS API calls, including Decrypt, Encrypt, and GenerateDataKey, as events in the CloudTrail logs. By examining CloudTrail events for the specific KMS key ID, the security team can see who called the Decrypt API and whether the call succeeded (HTTP 200) or failed (e.g., AccessDenied). This provides the exact audit trail needed for incident response.
Exam trap
The trap here is that candidates confuse AWS Config (which tracks resource configuration) with CloudTrail (which tracks API activity), or they assume KMS key policies themselves provide audit logs, when in fact policies only control permissions and do not generate event records.
How to eliminate wrong answers
Option A is wrong because AWS Config evaluates resource compliance against rules and records configuration changes, but it does not capture API-level actions like decryption attempts. Option B is wrong because KMS key policies define who can use the key and under what conditions, but they do not generate logs or provide historical audit records of decryption attempts. Option D is wrong because CloudWatch Logs can store log data from various sources, but it is not the native service for capturing KMS API calls; CloudTrail is the service that generates those logs, which can optionally be sent to CloudWatch Logs.