To determine who deleted an Amazon RDS DB instance, the correct source of truth is AWS CloudTrail, which records API activity and includes the identity (IAM user, role, assumed role session) that made the call. Deleting an RDS instance is performed through the RDS API action DeleteDBInstance, and CloudTrail logs an event for this action that contains key fields such as userIdentity, eventTime, eventName, sourceIPAddress, and request parameters identifying the DB instance (for example, dBInstanceIdentifier).
Because the DB instance was deleted within the past 90 days, CloudTrail Event History is commonly sufficient (Event History typically retains 90 days of management events). If the company has a CloudTrail trail configured to deliver logs to S3/CloudWatch Logs, those logs can also be queried for the same event.
Option A directly matches this: retrieve CloudTrail events for DeleteDBInstance related to mysql-db and inspect the userIdentity section to identify the IAM principal that performed the deletion.
Option B is not reliable because RDS log groups (when enabled) capture database engine logs (slow query log, error log, general log) and do not record control-plane actions like who deleted the instance.
Option C is incorrect because X-Ray traces application-level request flows; it does not audit administrative actions like RDS deletion.
Option D is not applicable: Systems Manager inventory does not provide authoritative records of RDS deletions or the IAM principal responsible.
Therefore, CloudTrail lookup for DeleteDBInstance events is the correct solution.
