Your company is hosting a set of resources on the AWS Cloud.
There is now a security requirement that states that all API requests to the STS service be monitored.
How can you accomplish this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B.
The AWS Documentation mentions the following.
CloudTrail logs all authenticated API requests (made with credentials) to IAM and AWS STS APIs, except DecodeAuthorizationMessage.
CloudTrail also logs nonauthenticated requests to the AWS STS actions, AssumeRoleWithSAML and AssumeRoleWithWebIdentity, and logs information provided by the identity provider.
You can use this information to map calls made by a federated user with an assumed role back to the originating external federated caller.
Option A is incorrect since the log service will not have the trail of the API calls.
Option C is incorrect since STS does not have a logging service.
Option D is incorrect since Cloudwatch metrics will not have the trail of the API calls.
For more information on cloudtrail integrations, please refer to the below URL-
https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.htmlTo accomplish the requirement of monitoring all API requests to the STS service in AWS, the best option would be to view logs in CloudTrail.
CloudTrail is a service that records all API activity and generates detailed event logs, including API requests made to STS (Security Token Service). By default, CloudTrail is enabled in AWS accounts, and you can access it in the CloudTrail console or by using the AWS CLI.
You can use CloudTrail to monitor all API requests made to STS, including requests for temporary security credentials, which allow access to AWS resources for a specified time period. With CloudTrail, you can identify the source IP address of the request, the IAM user or role making the request, the time of the request, and other details.
Additionally, you can create CloudWatch alarms to notify you when specific API events occur, such as an API call to STS that uses a specific IAM user or role. You can also use CloudWatch metrics to visualize and analyze API usage patterns and identify anomalies.
While it is possible to monitor the CloudWatch logs service or use the STS logging service to monitor API requests to STS, these options may not provide the same level of detail and visibility as CloudTrail. CloudTrail is specifically designed for recording and monitoring API activity, making it the best option for meeting the security requirement of monitoring all API requests to STS.