Answer: AWS CloudTrail

**Explanation:** AWS CloudTrail is the correct service for tracking user activity and API calls made in an AWS account. Here's why: 1. **AWS CloudTrail** is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It logs all API calls made in your AWS account, including: - Who made the call (IAM user, role, or AWS service) - When the call was made - What service was called - What action was performed - The request parameters - The response elements returned 2. **For this specific scenario**: - The solutions architect needs to identify which IAM user made configuration changes to security group rules - CloudTrail logs all API calls to EC2 (including security group modifications) - It records the IAM user identity for each API call - The logs can be searched by time frame ("last week") and resource type 3. **Why the other options are incorrect**: - **Amazon GuardDuty (A)**: This is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, but it doesn't provide detailed API call logs with user attribution. - **Amazon Inspector (B)**: This is an automated security assessment service that helps improve security and compliance of applications deployed on AWS, but it doesn't track user activity. - **AWS Config (D)**: This service assesses, audits, and evaluates the configurations of your AWS resources, but it focuses on the current state and configuration history of resources, not who made specific API calls. **Key takeaway**: When you need to answer "who did what, when, and from where" in AWS, CloudTrail is the service to use. It's essential for security auditing, compliance, and troubleshooting configuration issues.

Author: LeetQuiz Editorial Team