SCS-C02 · Question #279
SCS-C02 Question #279: Real Exam Question with Answer & Explanation
The correct answer is A: Import AWS CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and. AWS CloudTrail is the correct service here because it records all API activity across AWS, including CreateRole calls - capturing the timestamp, the identity of the requester, and the source IP. Since the roles appeared within the last 90 days and CloudTrail Event History retains
Question
A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead. Which solution will meet this requirement?
Options
- AImport AWS CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and
- BCreate a table in Amazon Athena for AWS CloudTrail events.
- CUse AWS Config to look up the configuration timeline for the additional IAM roles and view the
- DDownload the credentials report from the IAM console to view the details for each IAM entity,
Explanation
AWS CloudTrail is the correct service here because it records all API activity across AWS, including CreateRole calls - capturing the timestamp, the identity of the requester, and the source IP. Since the roles appeared within the last 90 days and CloudTrail Event History retains 90 days of logs by default, this data is available with minimal setup, making it the lowest-overhead approach.
Why the distractors are wrong:
- B (Athena): Querying CloudTrail logs with Athena is valid but requires creating and managing a table schema, partitions, and writing SQL - more setup than directly using CloudTrail's built-in search or a pre-built integration.
- C (AWS Config timeline): Config tracks configuration state changes to resources, but it shows what changed, not necessarily who made the API call that caused the change. CloudTrail is the authoritative source for the "who" and "when" of API actions.
- D (IAM credentials report): This report shows credentials metadata for IAM users (password age, MFA status, key usage), not a history of role creation events or the identity of who performed them.
Memory tip: Think "CloudTrail = audit trail for API calls." Whenever an exam question asks who did what and when in AWS, CloudTrail is almost always the answer - it's the service designed specifically for accountability and forensics.
Topics
Community Discussion
No community discussion yet for this question.