A SOC analyst needs an immutable, centralized audit record of configuration and API changes across multiple AWS accounts. Recently, an operator changed an IAM role trust policy, and investigators must determine exactly which principal made the change and which parameters were used.
Your current setup sends application logs to CloudWatch Logs, but there is no organization-level API audit logging.
Which approach best satisfies the requirement?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Enable an AWS Organizations CloudTrail organization trail that delivers management event logs (including IAM) to a centralized S3 bucket in a dedicated audit account, for all regions.
CloudTrail management events provide authoritative audit logs for API actions like IAM policy changes and can be centralized via an organization trail.
Use CloudWatch Logs metric filters on application logs to infer which principals changed trust policies.
CloudWatch metric filters cannot capture AWS management API calls for IAM changes unless explicitly logged by the application.
Rely on GuardDuty alerts to provide the full request parameters for every IAM policy change.
GuardDuty focuses on threat detection and does not provide comprehensive, authoritative audit trails for every IAM change.
Enable AWS Config only and store periodic snapshots without CloudTrail management events.
AWS Config records configuration state changes, but CloudTrail is the primary service for detailed API action audit logging.
Common exam trap
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Technical deep dive
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Static NAT maps one inside address to one outside address.
The correct answer is: Enable an AWS Organizations CloudTrail organization trail that delivers management event logs (including IAM) to a centralized S3 bucket in a dedicated audit account, for all regions. — CloudTrail is the service built for auditability of AWS API activity. When an operator changes an IAM role trust policy, that action is a management event that CloudTrail records with the actor identity, timestamps, resources, and request details. An Organizations organization trail further centralizes logs across accounts and regions into a dedicated S3 location, improving investigation workflows and supporting tamper-evident storage patterns. CloudWatch application logs, GuardDuty detections, or AWS Config snapshots alone typically don’t provide complete request-level audit details. Why others are wrong: Option B won’t work because application logs generally do not include AWS management API request details for IAM changes. Option C is incorrect because GuardDuty is not an audit trail; it produces detection findings, not complete request parameters for every change. Option D is partially related but incomplete: AWS Config tracks configuration changes, while CloudTrail is required for authoritative API-level audit records and forensic timelines.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.