Practice Test 4 | AWS Certified Solutions Architect Associate | SAA-C03 | Dumps | Mock Test

Correct Answer: D

After you enable CloudTrail log file integrity, it will create a hash file called as digest file which refers to logs that are generated. This digest file is saved in different folder in S3 bucket where log files are saved. Each of this digest file has private key of public & private key pair. DIgest file can be validated using public key. This feature ensures that all the modification made to CloudTrail log files are recorded..

• Option A is incorrect as by default all CloudTrail log files are delivered to S3 buckets using SSE-S3 encryption, this will not ensure the integrity of log files.
• Option B is incorrect as with Amazon SSE-KMS encryption for CloudTrail log file, there would be additional layer of security for log files, but it won’t ensure integrity of log files.
• Option C is incorrect as although this will restrict access to bucket but won’t ensure that no modification has been done to log files post delivering in S3 buckets.
• For more information on CloudTrail Log file Integrity, refer to following URLs,
  • https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
  • https://aws.amazon.com/blogs/aws/aws-cloudtrail-update-sse-kms-encryption-log-file-integrity-verification/