AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company wants to analyze and troubleshoot Access Denied errors and Unauthorized errors that are related to IAM permissions. The company has AWS CloudTrail turned on.

Which solution will meet these requirements with the LEAST effort?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS Glue and write custom scripts to query CloudTrail logs for the errors.

Use AWS Batch and write custom scripts to query CloudTrail logs for the errors.

Search CloudTrail logs with Amazon Athena queries to identify the errors.

Search CloudTrail logs with Amazon QuickSight. Create a dashboard to identify the errors.

Explanation:

Explanation

Correct Answer: C - Search CloudTrail logs with Amazon Athena queries to identify the errors.

Why Option C is Correct:

Least Effort: Amazon Athena is a serverless interactive query service that allows you to analyze data in Amazon S3 using standard SQL. Since CloudTrail logs are stored in S3, Athena provides the most straightforward way to query them without provisioning infrastructure.
Direct Query Capability: You can write SQL queries directly against CloudTrail logs to search for specific error types like "AccessDenied" or "Unauthorized" errors.
No Custom Scripts Required: Unlike options A and B, Athena doesn't require writing and maintaining custom scripts or managing infrastructure.
Cost-Effective: Athena charges only for the data scanned per query, making it cost-efficient for occasional troubleshooting.

Why Other Options Are Not the Least Effort:

Option A (AWS Glue):

Requires setting up ETL jobs, writing custom scripts, and managing infrastructure
More complex than direct SQL queries with Athena
Better suited for data transformation and preparation, not simple querying

Option B (AWS Batch):

Requires containerizing scripts, managing compute environments, and job scheduling
Overkill for simple log analysis queries
Involves infrastructure management

Option D (Amazon QuickSight):

Requires creating dashboards and visualizations
More effort than simple querying with Athena
Better for ongoing monitoring and visualization, not one-time troubleshooting

Recommended Approach:

Ensure CloudTrail logs are delivered to an S3 bucket
Create an Athena table using the CloudTrail log format
Write SQL queries to filter for error events:

SELECT *
FROM cloudtrail_logs
WHERE errorcode IN ('AccessDenied', 'Unauthorized')
AND eventtime >= '2024-01-01'

SELECT *
FROM cloudtrail_logs
WHERE errorcode IN ('AccessDenied', 'Unauthorized')
AND eventtime >= '2024-01-01'

This solution provides the quickest, most straightforward way to analyze IAM permission errors with minimal setup and maintenance overhead.

Powered ByGPT-5.2

Comments

Loading comments...