AWS CloudTrail Logs: User and Tool Details for Configuration Changes

Correct Answer: A.

AWS CloudTrail captures actions made by users, roles, and services to AWS resources from AWS Management Console, AWS CLI, AWS SDKs and APIs.

AWS CloudTrail Logs can be evaluated to get the required details.

The userIdentity field in logs provides information about the user who made a request to the resource, while userAgent provides information about the tool used in making changes.

Option B is incorrect as the “eventsource” field will have the name of the service to which the request was made.

Option C is incorrect as the “eventsource” field will have the name of the service to which the request was made.

The “requestParameters” field consists of the parameters which were sent with the request.

Option D is incorrect as the “requestParameters” field consists of the parameters which were sent with the request.

For more information on AWS CloudTrail Logs, refer to the following URL,

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html

AWS CloudTrail is a service provided by AWS to track user activity and API usage on your account. It records all the events that occurred on your account and stores the logs in an S3 bucket. By analyzing these logs, you can identify the root cause of an issue and track the actions taken by different users.

In this scenario, the team lead needs to check the AWS CloudTrail logs to identify the user who made the changes and the tool from which the changes were made. The fields of the AWS CloudTrail logs that should be checked to get this information are:

A. Check “userIdentity” & “userAgent” field of AWS CloudTrail logs.

The "userIdentity" field contains information about the user who performed the action, including the user's ARN (Amazon Resource Name) and the user's account ID. By checking this field, the team lead can identify the user who made the changes to the EC2 instance.

The "userAgent" field contains information about the tool or application that was used to perform the action. By checking this field, the team lead can identify the tool or application that was used by the user to make the changes.

Therefore, option A is the correct answer.

B. Check “userIdentity” & “eventSource” field of AWS CloudTrail logs.

The "eventSource" field contains information about the AWS service that generated the event. By checking this field, the team lead can identify the AWS service that was used to make the changes.

However, this field will not provide any information about the user who made the changes. Therefore, this option is incorrect.

C. Check “requestParameters” & “eventSource” field of AWS CloudTrail logs.

The "requestParameters" field contains information about the parameters that were passed to the AWS service. By checking this field, the team lead can identify the parameters that were used to make the changes.

However, this field will not provide any information about the user who made the changes or the tool that was used to make the changes. Therefore, this option is incorrect.

D. Check “requestParameters” & “userAgent” field of AWS CloudTrail logs.

The "requestParameters" field contains information about the parameters that were passed to the AWS service. By checking this field, the team lead can identify the parameters that were used to make the changes.

The "userAgent" field contains information about the tool or application that was used to perform the action. By checking this field, the team lead can identify the tool or application that was used by the user to make the changes.

However, this option will not provide any information about the user who made the changes. Therefore, this option is incorrect.

In summary, the correct answer is option A - Check “userIdentity” & “userAgent” field of AWS CloudTrail logs.