AWS Account User Activity Report | DevOps Exam Preparation

Track and Monitor AWS Resource Changes | DevOps Exam Preparation

Prev Question Next Question

Question

Your CTO has asked you to make sure that you know how all your AWS account users change the AWS resources.

She wants a report of who is doing what over time, reported to her once per week.

Which of the following options can achieve this in the easiest way?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account.

Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Visibility into your AWS account activity is a key aspect of security and operational best practices.

You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure.

You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.

Option B is incorrect because the AWS API activities are not logged in AWS CloudWatch Logs.

Option C is incorrect because the IAM credential reports do not contain the details of API calls to the AWS resources.

Option D is incorrect because as the changes are saved in a DynamoDB table, you have to give extra effort to generate the reports based on the data.

Option A is more straightforward.

For more information on CloudTrail, please visit the below URL:

http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

To meet the CTO's requirement of tracking changes made by all AWS account users and delivering a report to her once per week, we need to set up an appropriate monitoring and reporting mechanism. Here's how each of the given options can achieve this:

Option A: Create a global AWS CloudTrail Trail. Configure a bash script to aggregate the log data delivered to S3 once per week and deliver this to the CTO.

CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of AWS account activities. By creating a global CloudTrail trail, we can capture all API events across all regions in our AWS account. We can then configure a bash script to aggregate the log data delivered to S3 once per week and deliver this to the CTO. This option can meet the requirement of tracking changes made by all AWS account users and delivering a report to the CTO once per week. However, configuring and maintaining the bash script may require some effort.

Option B: Use AWS CloudWatch Logs with an SNS topic subscribed to all AWS API calls. Subscribe the CTO to an email type delivery on this SNS Topic.

CloudWatch is a monitoring service for AWS resources and applications. It can collect and track metrics, collect and monitor log files, and set alarms. By using CloudWatch Logs with an SNS topic subscribed to all AWS API calls, we can capture and forward all API events to an SNS topic. We can then subscribe the CTO to an email type delivery on this SNS topic. This option can also meet the requirement of tracking changes made by all AWS account users and delivering a report to the CTO once per week. However, it may require some configuration and setup of SNS and email delivery.

Option C: Use AWS IAM credential reports to deliver a CSV of all uses of IAM User Tokens over time to the CTO.

IAM credential reports provide details about IAM users and their activity in your AWS account. By using IAM credential reports, we can generate a CSV of all uses of IAM User Tokens over time and deliver it to the CTO. However, this option may not capture all changes made by AWS account users as it only focuses on IAM user activity. This option is also less flexible as we are limited to using IAM credential reports.

Option D: Use AWS Config with an SNS subscription on a Lambda, and insert these changes over time into a DynamoDB table. Generate reports based on the contents of this table.

AWS Config is a service that enables us to assess, audit, and evaluate the configurations of our AWS resources. By using AWS Config with an SNS subscription on a Lambda, we can capture and insert all changes over time into a DynamoDB table. We can then generate reports based on the contents of this table. This option can also meet the requirement of tracking changes made by all AWS account users and delivering a report to the CTO once per week. However, configuring and maintaining the Lambda function and DynamoDB table may require some effort.

In conclusion, the easiest way to achieve the requirement of tracking changes made by all AWS account users and delivering a report to the CTO once per week is to use option A, create a global AWS CloudTrail Trail, and configure a bash script to aggregate the log data delivered to S3 once per week and deliver this to the CTO.