What approach would enable the Security team to find out what the former employee may have done within AWS?
Use the AWS CloudTrail console to search for user activity.
Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.
Use AWS Config to see what actions were taken by the user.
Use Amazon Athena to query CloudTrail logs stored in Amazon S3.
Explanations:
AWS CloudTrail records all API calls made in the AWS account, including those made by specific users. The Security team can use the CloudTrail console to filter events by the specific access key used by the former employee to see what actions were taken during the specified time frame.
While Amazon CloudWatch Logs can be used to filter logs, it does not store CloudTrail logs directly. Instead, CloudTrail logs are stored in S3, and CloudWatch can be configured to monitor CloudTrail, but it is not the best tool for directly searching user activity in this scenario.
AWS Config provides resource configuration history and compliance tracking, but it does not directly track user actions or API calls. Thus, it would not provide insights into what actions the former employee took using the access key.
Amazon Athena is used to query data stored in Amazon S3, including CloudTrail logs if they are stored there. However, the best and direct approach to analyze user activity specifically related to the access key is through the CloudTrail console itself, making this option less straightforward than option A.
I opine that the answer is:
Use the AWS CloudTrail console to search for user activity.