Table of Contents
How Do You Monitor and Retain a History of AWS Operations?
Understand the function of AWS CloudTrail, the service for logging, continuously monitoring, and retaining account activity. Learn how it captures all operations from the AWS Management Console, SDKs, and CLI for security, auditing, and governance.
Question
Which AWS service is used to log, monitor, and retain account activity related to operations in AWS? This includes operations taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
A. AWS CloudFormation
B. AWS Organizations
C. AWS Control Tower
D. Amazon CloudTrail
E. AWS Service Catalog
Answer
D. Amazon CloudTrail
Explanation
AWS CloudTrail is a fundamental service for governance, compliance, and operational auditing of your AWS account. Its specific purpose is to record API calls and events for your account. It captures a comprehensive history of actions, including who made the request, the services used, the actions performed, and the parameters for those actions. This log of activity is invaluable for security analysis, tracking resource changes, and troubleshooting operational issues.
Every action taken in AWS—whether through the AWS Management Console, Command Line Interface (CLI), SDKs, or other AWS services—is an API call that CloudTrail can record. This makes it the authoritative source for an audit trail of all operations within the environment.
Incorrect Options
A. AWS CloudFormation: This is an Infrastructure as Code (IaC) service for provisioning and managing AWS resources through templates. It does not log account activity.
B. AWS Organizations: This service is used to centrally manage and govern a multi-account environment. While it helps apply policies, it is not the service that records the operational activity within those accounts.
C. AWS Control Tower: This service automates the setup of a secure, multi-account AWS environment (a landing zone). It uses CloudTrail to implement detective guardrails, but CloudTrail is the underlying service that performs the actual logging.
E. AWS Service Catalog: This service allows you to create and manage catalogs of pre-approved IT services. It helps govern which resources can be deployed but does not provide a comprehensive log of all account activity.
AWS Security Governance at Scale certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the AWS Security Governance at Scale exam and earn AWS Security Governance at Scale certificate.