AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 342

To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files

Answer options

• A. SSE-S3
• B. SCE-KMS
• C. SCE-S3
• D. SSE-KMS

Correct answer: D

Explanation

To directly manage the security layer of AWS CloudTrail logs, you can encrypt them using Server-Side Encryption with AWS KMS keys (SSE-KMS), which allows you to manage key rotation and access policies. SSE-S3 uses keys managed entirely by Amazon S3, offering less direct control over the security layer. SCE-KMS and SCE-S3 are incorrect and fabricated acronyms in this context.