AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 346

A company hosts an application in its AWS account. The application uses an Amazon S3 bucket to store objects that contain sensitive information.

The company needs to capture object-level S3 API calls, including calls that are rejected because the calls were made by using credentials that are not valid.

Which solution will meet these requirements?

Answer options

• A. Create an AWS CloudTrail trail in the account. Enable S3 data events logging. Configure the trail to log to Amazon CloudWatch.
• B. Create a new S3 bucket. Configure access logging on the application's S3 bucket. Deliver the access logs to the new S3 bucket.
• C. Configure Amazon GuardDuty with S3 protection enabled for the account. Create an Amazon EventBridge rule that matches findings that are associated with the S3 bucket. Configure the rule to use an Amazon Simple Queue Service (Amazon SQS) queue as the target.
• D. Create an AWS CloudTrail trail and a new S3 bucket in the account. Configure the trail to log to the S3 new bucket.

Correct answer: A

Explanation

AWS CloudTrail data events must be enabled to log object-level Amazon S3 API operations. CloudTrail records both successful and failed API requests, including those rejected due to invalid credentials, and sending these logs to Amazon CloudWatch allows for real-time monitoring and alerting. Other options like S3 server access logging or GuardDuty do not provide the comprehensive API auditing and immediate alerting capabilities required for invalid credential tracking.