How should you do this?

Your CTO has asked you to make sure that you know what all users of your AWS account are doing to change resources
at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource
type group as possible. How should you do this?

Your CTO has asked you to make sure that you know what all users of your AWS account are doing to change resources
at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource
type group as possible. How should you do this?

A.
Create a global AWS CloudTrail Trail. Configure a script to aggregate the log data delivered to S3 once per week and deliver this to
the CTO.

B.
Use CloudWatch Events Rules with an SNS topic subscribed to all AWS API calls. Subscribe the CTO to an email type delivery on
this SNS Topic.

C.
Use AWS IAM credential reports to deliver a CSV of all uses of IAM User Tokens over time to the CTO.

D.
Use AWS Config with an SNS subscription on a Lambda, and insert these changes over time into a DynamoDB table. Generate
reports based on the contents of this table.

Explanation:
This is the ideal use case for AWS CloudTrail. CloudTrail provides visibility into user activity by recording API calls made
on your account. CloudTrail records important information about each API call, including the name of the API, the identity
of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service.
This information helps you to track changes made to your AWS resources and to troubleshoot operational issues.
CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.
https://aws.amazon.com/cloudtrail/faqs/



Leave a Reply 3

Your email address will not be published. Required fields are marked *


Sadeel Anjum

Sadeel Anjum

A
Traffic coming/going from/to outside AWS is monitored by Cloud trail.
and CloudWatch moniotrs our systems utilization only
so in this question cloud watch can’t help us.
So the answer is A.

Sam T

Sam T

D Config should be the choice, but probably it does not say who actually made the change. + SNS/Lamda etc make the answer goofy.
So will have to go with Cloud Trail – the difficult path – A

leonli

leonli

Totally agreed. Aws config is really good for resources state tracking.