Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 395 discussion

C. AWS CloudTrail The best option is to use AWS CloudTrail to find the desired information. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of AWS account activities. CloudTrail can be used to log all changes made to resources in an AWS account, including changes made by IAM users, EC2 instances, AWS management console, and other AWS services. By using CloudTrail, the solutions architect can identify the IAM user who made the configuration changes to the security group rules.

I was initially a bit confused on what Config and CloudTrail actually do, as both can be used to track configuration changes. However, this explanation is probably the best one I have come across so far: "Config reports on what has changed, whereas CloudTrail reports on who made the change, when, and from which location" Since the question is which IAM user was responsible for making the changes, the answer is CloudTrail.

CloudTrail = which user made which api calls. This is used for audit purpose.

This question is the same with the question 388, isn't it?

This is how you know not to trust the moderators with their answers.

There is an article "How to use AWS Config and CloudTrail to find who made changes to a resource" in aws blog. Given CloudTrail provided AWS config original info, it seems for this particular one, C is better than AWS config.

AWS CloudTrail is the correct service to use here to identify which user was responsible for the security group configuration changes

AWS CloudTrail

AWS CloudTrail

C. AWS CloudTrail

CloudTrail logs will tell who did that

Option "C" AWS CloudTrail is correct.

cccccc