Practice Test 4 | AWS Certified Solutions Architect Associate | SAA-C03 | Dumps | Mock Test
You are working as an AWS Architect for a global media firm. They have web server’s deployed on EC2 instance across multiple regions. For audit purpose, you have created a CloudTrail trail to store all CloudTrail event log files to S3 bucket.
This trail applies to all regions & are stored in S3 buckets at EU-Central region. During last year’s audit, Auditors has raised a query on integrity of log files that are stored in S3 buckets & tendered Non-Compliance. What feature can help you to gain compliance from Auditors for this query?
A. Use Amazon SSE-S3 encryption for CloudTrail log file while storing to S3 buckets.
B. Use Amazon SSE-KMS encryption for CloudTrail log file while storing to S3 buckets.
C. Use S3 bucket policy to grant access to only Security head for S3 buckets having CloudTrail log files.
D. Enable CloudTrail log file integrity validation feature.
Explanation:
Correct Answer: D
After you enable CloudTrail log file integrity, it will create a hash file called as digest file which refers to logs that are generated. This digest file is saved in different folder in S3 bucket where log files are saved. Each of this digest file has private key of public & private key pair. DIgest file can be validated using public key. This feature ensures that all the modification made to CloudTrail log files are recorded..
- Option A is incorrect as by default all CloudTrail log files are delivered to S3 buckets using SSE-S3 encryption, this will not ensure the integrity of log files.
- Option B is incorrect as with Amazon SSE-KMS encryption for CloudTrail log file, there would be additional layer of security for log files, but it won’t ensure integrity of log files.
- Option C is incorrect as although this will restrict access to bucket but won’t ensure that no modification has been done to log files post delivering in S3 buckets.
- For more information on CloudTrail Log file Integrity, refer to following URLs,
Comments are closed, but trackbacks and pingbacks are open.