A security engineer is analyzing a potential security incident involving an Amazon RDS for MySQL database. The engineer suspects that a SQL injection attack was successful. Which AWS service can the engineer use to review the actual SQL queries that were executed against the database?
RDS Audit Logs can record SQL statements executed.
Why this answer
Amazon RDS for MySQL supports audit logs that capture detailed records of database activities, including the actual SQL queries executed. By enabling the `audit_log` plugin and configuring the `server_audit_events` parameter, the engineer can review the exact SQL statements that were run, which is essential for identifying a SQL injection attack. This is the only AWS service that provides query-level visibility into RDS database operations.
Exam trap
The trap here is that candidates often confuse AWS CloudTrail (which logs control-plane API calls) with database audit logs (which log data-plane SQL queries), leading them to incorrectly select CloudTrail for reviewing executed SQL statements.
How to eliminate wrong answers
Option A is wrong because VPC Flow Logs capture metadata about network traffic (IP addresses, ports, protocols) but do not log the content of SQL queries or database operations. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes AWS CloudTrail events, VPC Flow Logs, and DNS logs for suspicious activity, but it does not provide direct access to the SQL queries executed against an RDS database. Option C is wrong because AWS CloudTrail records API calls made to the RDS service (e.g., creating a DB instance) but does not log the data-plane SQL queries executed within the database itself.