Question

Your company is hosting a set of resources on the AWS Cloud. There is now a security requirement that states that all API requests to the STS service be monitored.

How can you accomplish this requirement?

A. Monitor the Cloudwatch logs service.

B. View logs in CloudTrail.

C. Use the STS logging service.

D. Use Cloudwatch metrics.

Answer 1

Answer - B.

The AWS Documentation mentions the following.

CloudTrail logs all authenticated API requests (made with credentials) to IAM and AWS STS APIs, except DecodeAuthorizationMessage.

CloudTrail also logs nonauthenticated requests to the AWS STS actions, AssumeRoleWithSAML and AssumeRoleWithWebIdentity, and logs information provided by the identity provider.

You can use this information to map calls made by a federated user with an assumed role back to the originating external federated caller.

Option A is incorrect since the log service will not have the trail of the API calls.

Option C is incorrect since STS does not have a logging service.

Option D is incorrect since Cloudwatch metrics will not have the trail of the API calls.