How should the SysOps administrator meet these requirements?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send all IAM events to an AWS Lambda function for analysis.
Query Amazon EC2 logs by using Amazon CloudWatch Logs Insights for all events initiated with the compromised access key within the suspected timeframe.
Search AWS CloudTrail event history for all events initiated with the compromised access key within the suspected timeframe.
Search VPC Flow Logs for all events initiated with the compromised access key within the suspected timeframe.
Explanations:
While creating an Amazon EventBridge rule to send IAM events to a Lambda function may help in monitoring, it does not provide immediate visibility into actions taken with the compromised access key. EventBridge is more useful for real-time alerts rather than retrospective analysis.
Querying Amazon EC2 logs via CloudWatch Logs Insights focuses on EC2 instance logs rather than API calls made using IAM credentials. This does not directly track the use of the access key across AWS services.
AWS CloudTrail logs all API calls made within an AWS account, including those made with specific IAM access keys. By searching the CloudTrail event history, the administrator can identify all actions taken using the compromised access key within the specified timeframe.
VPC Flow Logs capture network traffic information but do not log API calls or actions taken within the AWS account. Therefore, they cannot provide insight into activities associated with the compromised access key.
I would say the answer is:
Search AWS CloudTrail event history for all events initiated with the compromised access key within the suspected timeframe.
From my perspective, the answer is:
Search AWS CloudTrail event history for all events initiated with the compromised access key within the suspected timeframe.