Q35 — AWS SCS-C02 Ch.1

Question 35 of 100 | ← Chapter 1

A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago. What is the FASTEST way for the security engineer to identify the federated user?

Correct Answer: B. Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

Explanation

AWS CloudTrail记录API活动,包括角色担任和资源操作。联合用户通过SAML登录触发AssumeRoleWithSAML事件,其中包含用户身份信息。TerminateInstances事件显示执行角色,但需关联AssumeRole事件获取原始用户。选项B通过筛选TerminateInstances确定角色后,追溯对应的AssumeRoleWithSAML事件找出用户名。选项A可能无法直接映射会话名到用户;C的Access Advisor仅跟踪服务访问,不关联具体用户或API调用;D错误使用WebIdentity而非SAML事件类型。B正确处理了角色与SAML断言的关联。