During an outage, it was observed that a wrong configuration was made to the Amazon EC2 instance by an operations team member.
To get more details, the team lead scrutinizes AWS CloudTrail logs to check the user who made the changes & the tool from which these changes were performed.
Which fields of the AWS CloudTrail Logs can be checked to get these details?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
AWS CloudTrail captures actions made by users, roles, and services to AWS resources from AWS Management Console, AWS CLI, AWS SDKs and APIs.
AWS CloudTrail Logs can be evaluated to get the required details.
The userIdentity field in logs provides information about the user who made a request to the resource, while userAgent provides information about the tool used in making changes.
Option B is incorrect as the “eventsource” field will have the name of the service to which the request was made.
Option C is incorrect as the “eventsource” field will have the name of the service to which the request was made.
The “requestParameters” field consists of the parameters which were sent with the request.
Option D is incorrect as the “requestParameters” field consists of the parameters which were sent with the request.
For more information on AWS CloudTrail Logs, refer to the following URL,
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.htmlIn this scenario, the team lead is looking to identify the user who made the incorrect configuration on an Amazon EC2 instance and the tool used to make the changes. AWS CloudTrail provides a detailed history of all API calls made within an AWS account, including information such as who made the call, which service was called, and the time of the call.
To identify the user who made the changes and the tool used to make the changes, the team lead should look at two specific fields of the AWS CloudTrail logs: "userIdentity" and "userAgent". The "userIdentity" field provides information about the AWS account or IAM user who made the API call. This field includes the user's ARN (Amazon Resource Name), username, and account ID. The "userAgent" field provides information about the tool or program used to make the API call. This field typically includes the name and version of the tool or program.
Option A, "Check 'userIdentity' & 'userAgent' field of AWS CloudTrail logs," is the correct answer as it includes both the "userIdentity" and "userAgent" fields that the team lead should investigate.
Option B, "Check 'userIdentity' & 'eventSource' field of AWS CloudTrail logs," is not the best answer because the "eventSource" field provides information about the AWS service that was called, which may not be helpful in identifying the user or tool used to make the changes.
Option C, "Check 'requestParameters' & 'eventSource' field of AWS CloudTrail logs," is not the best answer because the "requestParameters" field provides information about the parameters used in the API call, which may not be relevant in this scenario.
Option D, "Check 'requestParameters' & 'userAgent' field of AWS CloudTrail logs," is not the best answer because the "requestParameters" field provides information about the parameters used in the API call, which may not be relevant in this scenario.