Exam AWS Certified Security - Specialty topic 1 question 238 discussion

B. within 90 days can be filtered on CT console.

B.. In this site https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/

keywords: FASTEST way

I go with Option A Both options A and B involves examining the CloudTrail logs, but Option A emphasizes identifying the federated user directly from the role session name associated with the TerminateInstances event. This approach is often more straightforward and faster in a federated identity scenario.

User federated identity should be right in the session name: “ When you use the AssumeRolewithSAML API to assume an IAM role, AWS sets the role session name value to the attribute provided by the identity provider, which your administrator defined. ”

https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/

A. Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name. By reviewing the CloudTrail event history logs and filtering for the TerminateInstances event, the security engineer can quickly identify the relevant event that led to the termination of the EC2 instance. The role session name associated with the event will indicate the federated user responsible for the action. This approach is the fastest because it directly targets the specific event of interest without the need for additional queries or searching through IAM Access Advisor or other logs.

A: Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name. AWS CloudTrail is a service that provides a history of AWS API calls made within an AWS account. By reviewing the CloudTrail event history logs, you can track and analyze the activities within the account. To identify the federated user who terminated the EC2 instance, you should look for the TerminateInstances event in the CloudTrail logs. This event indicates the termination of an EC2 instance. Within the event data, you can find information about the role session name associated with the event.

Selected B

Cloudtrail event console quicker as event history is less than 90 days old

https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/ AssumeRoleWithSAML : Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

Answer is B

I agree with B, but if we take a look at the link from kk3322, we can clearly see that in the first event we have the email address of the user. So A could also be an option...

external identity can be SAML or OpenID that eleminates A and C as the fastest solution along with the fact that multiple users could be assuming the role it leaves B and D and as a matter of fact B is a manual process while D can do it all in a single query which is the fastest way i'll go with D for sure.

B seems best option as per https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/ but if multiple users had assumed the same role via SAML at the time the instance was terminated, how to identify the exact user is not clear.

A. The federated user info is not in the TerminateInstance event. B. Could work, but possibly many Federated (SAML) users (Not web users) use the same assume role. Hopefully something will be better. C. AIM Access advisor only shows last time. D. Not about WebIdentity. -B- nothing is better.

B external identity provider to allow federation into different AWS accounts, you need to use AssumeRoleWith SAML