One AWS account of your company has dozens of IAM users. Yesterday, several IAM users performed some unexpected operations, such as terminating EC2 instances. CloudTrail is enabled in the account, and the logs are stored in an S3 bucket and a CloudWatch Log group. You want to identify all AWS Management Console logins that occurred over a 24-hour period. Which of the following methods is the easiest and most cost-efficient?

Answer options:

A.In AWS Athena, perform SQL queries to the CloudTrail log files. Filter the activities to view only ConsoleLogin events that happened during the last 24 hours.
B.In AWS Config, look up all EC2 instances. Check the configuration timeline for each instance to find out who logged in to the AWS console.
C.Login in the AWS CloudTrail console. In the event history, filter the ConsoleLogin resource type and select the time range of yesterday.
D.In the CloudWatch Log group, search for the logs that contain the ConsoleLogin event type over the 24-hour period.

Correct Answer – D
Option A is incorrect: With Athena, you can perform a query to get the required console login information as below:
select useridentity.username, sourceipaddress, eventtime, additionaleventdata
from default.cloudtrail_logs
where eventname = `ConsoleLogin`
and eventtime >= `2019-12-17T00:00:00Z`
and eventtime < `2019-12-18T00:00:00Z`;
 However, this method is not the easiest or cost-effective approach.
Option B is incorrect because it is time-consuming to check the configuration timeline for each EC2 instance. And users may not operate on EC2 instances when they logged in to AWS.
Option C is incorrect: The approach may work. However, ConsoleLogin should be the event name instead of the resource type.
Option D is CORRECT because users can perform queries in CloudWatch Logs, where it is very easy to search for the events. Details can be found at https://aws.amazon.com/blogs/mt/analyzing-cloudtrail-in-cloudwatch/.