Skip to Content

Amazon DVA-C02: What IAM User or Role Deleted Amazon RDS Database Instance?

By: Author Alex Lim

Posted on

Categories Exam

Discover how to identify the IAM user or role responsible for deleting an Amazon RDS DB instance within the past 90 days. Learn the correct approach for the AWS Certified Developer Associate exam.

Table of Contents

Question

A company had an Amazon RDS for MySQL DB instance that was named mysql-db. The DB instance was deleted within the past 90 days.

A developer needs to find which IAM user or role deleted the DB instance in the AWS environment.

Which solution will provide this information?

A. Retrieve the AWS CloudTrail events for the resource mysql-db where the event name is DeleteDBInstance. Inspect each event.
B. Retrieve the Amazon CloudWatch log events from the most recent log stream within the rds/mysql-db log group. Inspect the log events.
C. Retrieve the AWS X-Ray trace summaries. Filter by services with the name mysql-db. Inspect the ErrorRootCauses values within each summary.
D. Retrieve the AWS Systems Manager deletions inventory. Filter the inventory by deletions that have a TypeName value of RDS. Inspect the deletion details.

Answer

A. Retrieve the AWS CloudTrail events for the resource mysql-db where the event name is DeleteDBInstance. Inspect each event.

Explanation

AWS CloudTrail records API calls made within an AWS account, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. When an Amazon RDS DB instance is deleted, CloudTrail logs the DeleteDBInstance API call.

To find out which IAM user or role deleted the mysql-db instance, you should:

  1. Open the AWS CloudTrail console or use the AWS CLI.
  2. Retrieve the events where the resource name is mysql-db and the event name is DeleteDBInstance.
  3. Inspect each relevant event. The userIdentity section of the event will contain details about the IAM user or role that made the API call.

The other options are incorrect because:

  • B: Amazon CloudWatch Logs for RDS do not contain information about IAM users or roles that perform actions.
  • C: AWS X-Ray is used for distributed tracing of application performance and does not track IAM actions.
  • D: AWS Systems Manager does not track deletions of individual resources like RDS DB instances.

Therefore, using AWS CloudTrail is the only reliable way to determine which IAM user or role deleted the RDS DB instance within the past 90 days.

Amazon AWS Certified Developer – Associate DVA-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Developer – Associate DVA-C02 exam and earn Amazon AWS Certified Developer – Associate DVA-C02 certification.