A security engineer is investigating an AWS CloudTrail log entry that shows an unauthorized API call to delete an S3 bucket. Which service should the engineer use to analyze the log data for patterns of similar malicious activity?
GuardDuty is purpose-built for threat detection using CloudTrail, VPC Flow Logs, and DNS logs.
Why this answer
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity, including unauthorized API calls like the S3 bucket deletion attempt. It uses machine learning and integrated threat intelligence to analyze CloudTrail management events, VPC flow logs, and DNS logs, enabling it to identify patterns of similar malicious behavior across your environment. This makes GuardDuty the correct choice for detecting and alerting on patterns of unauthorized activity, rather than just logging or compliance checks.
Exam trap
The trap here is that candidates confuse CloudWatch Logs Insights, which can query logs, with GuardDuty's automated threat detection, overlooking that GuardDuty is purpose-built for identifying patterns of malicious activity without requiring manual log analysis.
How to eliminate wrong answers
Option A is wrong because AWS Config is a service for evaluating resource configurations and compliance against rules, not for analyzing CloudTrail log patterns for malicious activity; it lacks threat detection capabilities. Option B is wrong because Amazon CloudWatch Logs Insights is a query tool for searching and analyzing log data, but it does not provide automated threat detection or pattern recognition for malicious activity; it requires manual querying and lacks built-in threat intelligence. Option C is wrong because AWS Artifact is a self-service portal for downloading AWS compliance reports and agreements, with no capability to analyze CloudTrail logs or detect unauthorized activity.