During an internal audit following suspected misuse of privileged credentials at a technology services firm,...

The correct answer is B because AWS CloudTrail is the native AWS audit service that records management-plane actions such as API calls and administrative changes, including timestamps, source IP addresses, user identity information, and request parameters. AWS documentation explicitly states that CloudTrail records information such as the identity of the user, the start time of the API call, the source IP address, the request parameters, and related response elements. That matches the scenario exactly. CHFI v11 includes cloud forensics and AWS forensic evidence sources, so candidates are expected to recognize CloudTrail as the primary account activity history for reconstructing cloud actions over time. Azure Monitor Logs, Microsoft Sentinel, and Google Logs Explorer are tied to other ecosystems or broader monitoring and analytics use cases, but the question asks for the native platform that records management-plane activity inside a single provider’s environment. Because the activity described involves API calls, configuration changes, and detailed audit reconstruction in AWS, the correct service is AWS CloudTrail.