The immediate containment step for exposed access keys is todisable (deactivate) the compromised IAM access key(Option B). This prevents any further use of the leaked credentials, which is essential once secrets are publicly exposed. Creating a new key (Option D) may be part of recovery later, but it does not stop abuse of the already exposed key unless the exposed key is first deactivated.

To determine whether the credentials were used, you need evidence of access activity. Among the provided options, the best fit is generating and reviewing theIAM credential report(Option E). The report includes metadata such as access key status and “last used” style details that help triage whether the user’s credentials have been exercised recently. While deeper investigation would typically rely on CloudTrail “AccessKeyId” searches, the credential report is a quick AWS-native step aligned to the answer choices.

Option A is not correct: IAM Access Analyzer helps identify external access paths to resources and validate policies; it does not provide a definitive history of what a specific access key did. Option C is not a GuardDuty capability—GuardDuty generates findings; it does not “block” a specific access key. Therefore, deactivating the key and using credential reporting to assess recent usage best matches the requirements.