A security team is creating a response plan when an employee executes unauthorized actions on AWS infrastructure. They want to include steps to determine if the employee’s IAM permissions changed as part of the incident.
What steps should the team document in the plan?
 

Answer options:

A.Use AWS Config to examine the employee’s IAM permissions before the incident and compare them to the employee’s current IAM permissions.
B.Use Macie to examine the employee’s IAM permissions before the incident and compare them to the employee’s current IAM permissions.
C.Use Amazon GuardDuty to examine the employee’s IAM permissions before the incident and compare them to the employee’s current IAM permissions.
D.Use Trusted Advisor to examine the employee’s IAM permissions before the incident and compare them to the employee’s current IAM permissions.

Answer: A
Option A is CORRECT because, with Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines.
Option B is incorrect because AWS Macie is used for data security and data privacy to discover and protect your sensitive data in AWS. It cannot be used to examine IAM permissions and monitor user activities.
Option C is incorrect because Amazon GuardDuty is a threat detection service that continuously monitors malicious activity but does not give details on the IAM permissions.
Option D is incorrect because AWS Trusted Advisor helps optimize your AWS infrastructure, increase security and performance, reduce your overall costs, and monitor service limits, but it cannot give details on user activities or the change in lAM permissions.
The below snapshot shows an example configuration for a user in AWS Config:
For more information on tracking changes in AWS Config, please visit the below URL:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/TrackingChanges.html