According to the AWS Cloud Operations and Security documentation, AWS CloudTrail is the authoritative service for recording API activity across all AWS services within an account.
When an access key is compromised, CloudTrail logs all API requests made using that key, including details such as:
The user identity (access key ID) that made the request,
The service, operation, resource, and timestamp affected, and
The source IP address and region of the request.
By searching the CloudTrail event history for the specific access key ID, the CloudOps engineer can identify every action performed by that key during the suspected breach window.
Other options are incorrect:
EventBridge (A) is event-driven, not historical.
CloudWatch Logs (B) monitors system logs, not AWS API activity.
VPC Flow Logs (D) track network-level traffic, not API calls.
Therefore, the correct solution is Option C — using AWS CloudTrail event history to audit and trace all actions executed via the compromised access key.
[Reference: AWS Cloud Operations & Security Management Guide – Investigating Compromised Access Keys Using AWS CloudTrail, ]
