Question #963
A company needs to maintain a comprehensive record of all API activity across its AWS environment to meet regulatory compliance requirements. Which AWS service should be used for this purpose?
Amazon Detective
AWS Web Application Firewall
Amazon CloudWatch
AWS CloudTrail
Explanation
AWS CloudTrail (D) is designed to track and log all API activity in an AWS environment, including actions taken by users, roles, or AWS services. This makes it essential for compliance, as it provides a detailed, timestamped record of all API calls for auditing purposes.
- Why other options are incorrect:
- A. Amazon Detective: Focuses on security investigation and root-cause analysis, not API logging.
- B. AWS Web Application Firewall (WAF): Protects web applications from exploits but does not log API activity.
- C. Amazon CloudWatch: Monitors metrics and logs but does not inherently track API calls; it can ingest CloudTrail logs but is not the source.
Key Points:
- CloudTrail is the primary service for auditing API activity.
- Compliance requirements often mandate detailed API logs, which CloudTrail provides.
- Other services like CloudWatch or Detective may complement CloudTrail but do not replace its core functionality.
Answer
The correct answer is: D