A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?
Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.
Why this answer
Option D is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) capture control-plane API calls such as IAM policy changes, access key creation, and authentication events. These logs provide the strongest evidence of identity and access management (IAM) compromise at the control plane, as they directly record who made what change, from which source IP, and with what outcome. In the containment trade-off phase, preserving these logs while disabling compromised keys or applying a deny-all policy balances stopping the attacker with retaining forensic evidence.
Exam trap
CompTIA often tests the distinction between control-plane and data-plane telemetry, and the trap here is that candidates confuse web server logs or endpoint logs with cloud audit logs, failing to recognize that only cloud audit logs capture identity and policy API calls at the control plane.
How to eliminate wrong answers
Option A is wrong because web server access logs from a public website only record HTTP requests to the application layer (e.g., GET/POST to web pages), not IAM policy changes, access key creation, or failed console logons—these are control-plane operations, not data-plane web traffic. Option B is wrong because packet captures from user laptops only show network-layer traffic (e.g., TCP/UDP flows) and cannot capture cloud API calls made to the cloud provider's control plane endpoints (e.g., `iam.amazonaws.com`), which are encrypted over TLS and not visible at the laptop's network interface. Option C is wrong because endpoint antivirus quarantine reports only log malware detections on local endpoints (e.g., file hashes, process names), not cloud-side identity or policy changes; they provide no visibility into cloud control-plane API calls.