Question #963
A company had an Amazon S3 bucket named secure-data that was deleted within the past 90 days. A developer needs to find which IAM user or role deleted the bucket in the AWS environment. Which solution will provide this information?
Retrieve the AWS CloudTrail events for the resource secure-data where the event name is DeleteBucket. Inspect each event.
Retrieve the Amazon CloudWatch log events from the most recent log stream within the S3/secure-data log group. Inspect the log events.
Retrieve the AWS X-Ray trace summaries. Filter by services with the name secure-data. Inspect the ErrorRootCauses values within each summary.
Retrieve the AWS Config resource inventory. Filter the inventory by resources with a type of AWS::S3::Bucket. Inspect the deletion details.
Explanation
The correct answer is A because AWS CloudTrail records API calls made in an AWS account, including the DeleteBucket action. By filtering CloudTrail events for the 'DeleteBucket' event name and inspecting the associated IAM user/role, the developer can determine who deleted the bucket.
Why other options are incorrect:
- B: Amazon S3 access logs are stored in another S3 bucket, not CloudWatch Logs. CloudWatch does not inherently track bucket deletion events.
- C: AWS X-Ray is used for tracing application requests, not auditing resource deletions.
- D: AWS Config tracks resource configuration changes but does not provide detailed API call information like the IAM entity responsible for deletion.
Key Points:
- CloudTrail is the primary service for auditing API activity.
- Bucket deletion events are logged as 'DeleteBucket' in CloudTrail.
- Events older than 90 days may not be available unless CloudTrail logging was configured with a trail.
Answer
The correct answer is: A