Skip to main content

AWS DVA-C02 Drill: Auditing RDS Deletions - Pinpointing the Responsible IAM Entity

·731 words·4 mins·
Certification Drills AWS DVA-C02 Amazon RDS CloudTrail IAM Audit
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.

For DVA-C02 candidates, the confusion often lies in knowing which AWS service tracks user API activity versus resource logs. In production, this is about knowing exactly where to find the audit trail that links IAM users or roles to resource manipulation events. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

Techverse Labs has an Amazon RDS for MySQL instance named analytics-db. Recently, this database instance was deleted within the last 90 days as part of a cleanup operation. As the lead developer on the team, you’ve been asked to identify which IAM user or role initiated the deletion to understand if it was authorized.

The Requirement:
#

Determine the correct AWS mechanism to audit and find which IAM entity deleted the RDS instance.

The Options
#

  • A) Retrieve the AWS CloudTrail events related to the resource analytics-db where the event name is DeleteDBInstance. Inspect each event to identify the actor.
  • B) Retrieve the Amazon CloudWatch log events from the most recent log stream within the rds/analytics-db log group and analyze the logs for delete activity.
  • C) Retrieve AWS X-Ray trace summaries filtering by service name analytics-db and inspect ErrorRootCauses in each trace to determine if a delete happened.
  • D) Retrieve the AWS Systems Manager deletions inventory, filter entries where TypeName equals RDS, and check deletion details for user identity.

Google adsense
#

leave a comment:

Correct Answer
#

A

Quick Insight: The Developer Audit Imperative
#

  • For developers, the key is recognizing that CloudTrail is the definitive source for tracking AWS API calls that modify resources, including who performed actions.
  • Application or database logs (CloudWatch Logs, X-Ray) do not capture control plane API calls initiated via IAM principals.
  • Systems Manager inventory focuses on managed instances, not direct RDS API call tracking.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option A

The Winning Logic
#

When an RDS instance is deleted, an AWS API call (DeleteDBInstance) is made by an IAM user or role. CloudTrail records all management plane actions, including the caller identity, timestamp, and request parameters. By querying CloudTrail for DeleteDBInstance events targeting analytics-db, developers can directly pinpoint exactly who initiated the operation.

  • CloudWatch Logs in RDS primarily contain database engine logs (query logs, error logs), but do not record control plane API calls.
  • AWS X-Ray traces application-level requests and service calls, but does not track AWS API actions performed via the console or CLI.
  • Systems Manager inventory tracks managed EC2 instance metadata, patch, and software inventory; it does not provide a history of deleted RDS instances.

The Trap (Distractor Analysis)
#

  • Why not Option B? CloudWatch Logs linked to RDS are about database activity, not AWS API events. Deletion events won’t appear here.
  • Why not Option C? X-Ray traces focus on distributed application tracing. It won’t show who deleted infrastructure resources.
  • Why not Option D? Systems Manager’s deletion inventory is for managed instances and does not track RDS resource deletes or IAM principals.

The Technical Blueprint
#

B) For Developer / SysOps (CLI Snippet)
#

To find the user/role responsible using AWS CLI and CloudTrail logs:

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteDBInstance \
  --max-results 10 \
  --query "Events[?Resources[?ResourceName=='analytics-db']].{EventTime:EventTime,Username:Username,EventId:EventId,CloudTrailEvent:CloudTrailEvent}" \
  --output json

This returns the events where DeleteDBInstance was called on the analytics-db resource, including the IAM username or assumed role that initiated it.

The Comparative Analysis
#

Option API Complexity Performance Use Case
A Low High Accurate audit of IAM user/role deleting RDS instance via CloudTrail events
B Medium Medium Not applicable — Engine logs don’t track deletes
C High Low Tracing app errors, not infra API calls
D Medium Low Systems Manager inventory unrelated to RDS deletes

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick CloudTrail when you see any question about tracking “who did what” to AWS infrastructure.

Real World
#

In practice, you might complement CloudTrail with AWS Config to track resource state changes over time, but user identity always comes from CloudTrail.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.