A security engineer notices that an S3 bucket containing sensitive data has been accessed from an IP address outside the allowed range. CloudTrail logs show the access was made using temporary credentials from an assumed role. What additional logging is needed to trace the access back to the original IAM user who assumed the role?
AWS Config does not record API calls; CloudTrail already records the session issuer in management events.
Why this answer
Option A is correct because CloudTrail logs include the 'sessionIssuer' field for assumed roles, which identifies the user who assumed the role. Option B is wrong because VPC Flow Logs do not contain IAM user information. Option C is wrong because CloudWatch Logs is a destination, not a source of identity info.
Option D is wrong because S3 server access logs do not include session issuer details. Option E is wrong because AWS Config does not record API calls.