Question #1414
An IAM user inadvertently modified the IAM role attached to a critical EC2 instance in their company's AWS account, causing application downtime. A solutions architect needs to identify which IAM user made the unauthorized role modification to prevent future incidents.
Which service should the solutions architect use to determine the responsible user?
Amazon GuardDuty
Amazon Inspector
AWS CloudTrail
AWS Config
Explanation
The correct answer is C (AWS CloudTrail) because:
1. CloudTrail records AWS API calls and events, including IAM role modifications, with details like the user identity, timestamp, and API parameters. This enables auditing to trace unauthorized changes.
2. Why other options are incorrect:
- A (GuardDuty): Focuses on threat detection via ML analysis (e.g., unusual API activity), but does not provide granular audit logs of specific API calls.
- B (Inspector): Scans for vulnerabilities in EC2 instances/applications, unrelated to tracking user actions.
- D (AWS Config): Tracks resource configuration changes but does not inherently log the user who made the change (relies on CloudTrail integration for user context).
Key Point: CloudTrail is the primary service for auditing user-level API activity in AWS.
Answer
The correct answer is: C