A company has used SAML 2.0 to configure the identity federation with AWS. Users can enable the federated single sign-on (SSO) to login to the AWS Management Console or call the AWS API operations.
A SAML federated user terminated an EC2 instance in production yesterday. You need to find out who did this.
Which of the following options can help you quickly identify the federated user?

Answer options:

A.Check the CloudWatch Events for the EC2 instance. Search for the EC2 instance state change events and check the userIdentity field.
B.Search the CloudTrail event logs for the TerminateInstances event and Identify the assumed IAM role name. Search the AssumeRoleWithSAML event that includes the IAM role.
C.Check the CloudTrail logs in S3 for the TerminateInstances event and Identify the role session name. Search the AssumeRole event that includes the IAM role session name.
D.In AWS IAM roles, check the last activity time for each SAML 2.0 federation role. The last activity of the assumed federated role should have the same time when the instance was terminated.

Answer: B
Option A is incorrect because CloudWatch Event rules may not be configured or enabled. Hence they would not show any log or record for the AssumeRoleWithSAML event.
Option B is CORRECT because you can use CloudTrail event logs to find the assumed IAM role in the TerminateInstances event and then check the AssumeRoleWithSAML event that assumed the IAM role.
Option C is incorrect because the event to be searched should be AssumeRoleWithSAML instead of AssumeRole.
Option D is incorrect because you may get the federated role name with the last activity time. However, you still need to find out which federated user assumed the role and performed the action.
Reference:
https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/.