Examice

Exam SAP-C01 All QuestionsBrowse all questions from this exam

Question 830

A company has a new security policy. The policy requires the company to log any event that retrieves data from Amazon S3 buckets. The company must save these audit logs in a dedicated S3 bucket.

The company created the audit logs S3 bucket in an AWS account that is designated for centralized logging. The S3 bucket has a bucket policy that allows write- only cross-account access.

A solutions architect must ensure that all S3 object-level access is being logged for current S3 buckets and future S3 buckets.

Which solution will meet these requirements?

Enable server access logging for all current S3 buckets. Use the audit logs S3 bucket as a destination for audit logs.

Enable replication between all current S3 buckets and the audit logs S3 bucket. Enable S3 Versioning in the audit logs S3 bucket.

Configure S3 Event Notifications for all current S3 buckets to invoke an AWS Lambda function every time objects are accessed. Store Lambda logs in the audit logs S3 bucket.

Enable AWS CloudTrail, and use the audit logs S3 bucket to store logs. Enable data event logging for S3 event sources, current S3 buckets, and future S3 buckets.

Correct Answer: D

To log all object-level access events in Amazon S3 buckets and store them in a dedicated S3 bucket, enabling AWS CloudTrail is the most suitable solution. CloudTrail data event logging captures detailed object-level operations, such as GetObject and PutObject, which fulfills the requirement of the company's security policy. Moreover, CloudTrail supports logging for both current and future S3 buckets, ensuring continuous compliance. Using the dedicated audit logs S3 bucket in the centralized logging account to store these logs consolidates all audit information, which enhances both security and manageability.

Discussion

BigbearcnOption: D

D is correct.

Bigbearcn

s3 access log don't support cross account log delivery

[Removed]

Cloudtrail data event for s3 supports cross account log delivery - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-for-s3-resources-in-other-accounts

asfsdfsdfOption: D

only D will force the policy on for future buckets

CAIYasia

AWS CloudTrail provides comprehensive logging of API calls, including S3 data events, which includes object-level operations like GetObject, PutObject, etc. Data event logging for S3 ensures that every read and write operation at the object level is captured, which satisfies the requirement to log any event that retrieves data from S3 buckets. Enabling data event logging for both current and future S3 buckets ensures compliance with the new security policy and makes sure that no events are missed. Using the audit logs S3 bucket to store the logs consolidates all audit logs in a centralized, designated account, enhancing security and manageability. Enabling server access logging (Option A) only provides information about requests to S3 buckets, but does not capture the detailed object-level events required by the security policy. Hence, CloudTrail is the more suitable solution for the specified requirements.

evargasbrzOption: D

I'll go with D

janvandermerwerOption: D

D - Is the standard configuration when we deploy environments. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html

AwsBRFanOption: D

Infact , access logs does not support cross accout log delivery: https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html