A company has AWS accounts in an organization in AWS Organizations. The organization incl…

Question

A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account. All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed. Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

Accepted Answer

Correct answer: A, D. A. In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's management account to write to the S3 bucket. — D. Create an AWS CloudTrail trail for the organization. Configure logs to be delivered to the logging Amazon S3 bucket in the dedicated security account. — Option A is correct because it ensures that logs are retained for two years in compliance mode, preventing any changes or deletions. Option D is also correct as it facilitates centralized logging of AWS account activities to the designated bucket. Options B and C do not meet the requirement of logging to the dedicated security account, while options E introduces unnecessary complexity with multiple accounts and data transfer processes.

AWS Certified Security – Specialty (SCS-C02) — Question 106

Answer options

Correct answer: A, D

Explanation