Answer: Enable AWS CloudTrail and use it for auditing., Enable AWS Config and create rules for auditing and compliance purposes.

## Explanation **Correct Answers:** A and D **Why A (AWS CloudTrail) is correct:** - AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. - It logs all API calls made in your AWS account, including who made the call, when it was made, and what resources were affected. - For tracking EC2 instance provisioning and security group modifications, CloudTrail provides detailed audit trails of these API calls (e.g., `RunInstances`, `AuthorizeSecurityGroupIngress`, `ModifySecurityGroupRules`). **Why D (AWS Config) is correct:** - AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. - It helps track configuration changes over time and provides a detailed inventory of your AWS resources. - You can create Config rules to evaluate resource configurations for compliance with internal policies (e.g., checking for oversized EC2 instances or unauthorized security group changes). **Why the other options are incorrect:** **B (Data lifecycle policies):** - Data lifecycle policies are for managing data storage lifecycle (like Amazon S3 lifecycle policies), not for tracking configuration changes or auditing user actions. **C (AWS Trusted Advisor):** - AWS Trusted Advisor provides best practice recommendations across cost optimization, security, fault tolerance, and performance, but it doesn't provide detailed audit trails of user actions or configuration changes. - While it has a security dashboard, it's not designed for tracking specific user provisioning activities or configuration modifications. **E (Restore with CloudFormation):** - AWS CloudFormation is for infrastructure as code and deployment, not for auditing or tracking changes. - While you could use CloudFormation to restore configurations, this doesn't address the requirement to "track and audit" changes - it only addresses remediation after the fact. **Key AWS Services for Auditing:** 1. **AWS CloudTrail** - For API call logging and user activity tracking 2. **AWS Config** - For resource configuration tracking and compliance auditing 3. **Amazon CloudWatch** - For monitoring and alerting (could complement the solution) 4. **AWS Security Hub** - For centralized security findings (aggregates from multiple services) Together, CloudTrail and Config provide comprehensive visibility into both user activities (who did what) and resource configurations (what changed).