What could have been done to detect and automatically remediate the incident?
Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
Explanations:
Amazon Inspector is not designed to review API calls or manage CloudTrail settings. It primarily focuses on security assessments of the EC2 environment and does not have capabilities to automatically remediate the issues mentioned.
AWS Config can monitor configuration changes and enforce compliance rules. By creating a config rule to detect when CloudTrail is disabled and monitoring for API key creation by the root user, it can trigger a Lambda function to re-enable CloudTrail and deactivate the newly created API keys. This provides both detection and remediation.
While CloudWatch can be used to monitor events, it is not the best fit for detecting CloudTrail deactivation in real-time and does not provide automatic remediation for root API key creation. Trusted Advisor does not provide automated detection for root key creations and lacks the ability to invoke remediation directly.
Although CloudTrail can log API events, it does not have the capability to trigger automatic remediation actions based on events. A Lambda function can be used for remediation, but without AWS Config or CloudWatch to monitor the events, there would be no proactive detection or response mechanism in place.
I plot that the answer is:
Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.