API Activity Log Retrieval: How to Obtain Suspicious API Activity from 11 Days Ago

Obtain Suspicious API Activity from 11 Days Ago

Question

You work as an administrator for a company.

The company hosts a number of resources using AWS.

There is an incident of suspicious API activity that occurred 11 days ago.

The Security Admin has asked to get the API activity from that point in time.

How can this be achieved?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because AWS Cloudwatch is used for logging and not for monitoring API activity.

Option B is CORRECT because AWS CloudTrail event history allows viewing events that are recorded for 90 days.

So one can use a metric filter to gather the API calls from 11 days ago.

Option C is incorrect because AWS Cloudwatch is used for logging and not for monitoring API activity.

Option D is incorrect because AWS Config is a configuration service and is not used for monitoring API activity on the AWS account.

Note:

In this question, we assume that the customer has enabled the CloudTrail service.

AWS CloudTrail is enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started.

So for an activity that happened 11 days ago to be stored in the CloudTrail, we need to configure the trail manually to ensure that it is stored in the event's history.

For more information on AWS CloudTrail, kindly refer to the following URLs:

https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-aws-customers/ https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html

The correct answer to this question is B - Search the Cloudtrail event history on the API events which occurred 11 days ago.

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. When you enable CloudTrail for your AWS account, AWS delivers the log files to an S3 bucket that you specify. You can use these logs to monitor activity and to identify potential security issues.

In this scenario, the Security Admin has asked to get the API activity from 11 days ago. The best way to achieve this is to search the Cloudtrail event history on the API events which occurred 11 days ago. CloudTrail records all API calls made to your AWS account, including calls made through the AWS Management Console, AWS CLI, AWS SDKs, and other AWS services.

To search for the specific API activity from 11 days ago in CloudTrail, you can perform the following steps:

  1. Go to the AWS Management Console and navigate to the CloudTrail service.
  2. Click on "Event history" on the left side of the console.
  3. Select the time range for 11 days ago and enter the filter criteria for the specific API activity you are looking for.
  4. CloudTrail will display the events that match your search criteria, and you can review the event details to determine if there was any suspicious activity.

In summary, the best way to find the specific API activity from 11 days ago in AWS is to search the CloudTrail event history for the relevant API events.