🔥 3-day streak
AWS Certified Security - Specialty104 / 157
Question 104 of 157
After containing a compromised EC2 instance, a security team must produce a root cause analysis identifying every API action the attacker performed across all accounts during a 6-hour window. The organization already delivers all AWS CloudTrail management and data events from every member account into a centralized S3 bucket in the security account. The team needs to reconstruct a precise timeline of the attacker's activity as quickly as possible without provisioning any servers. Which approach best meets this requirement?
Reviewed for accuracy · Report an issueNext question