AWS Certified Security – Specialty (SCS-C02) — Question 228

A company needs to log object-level activity in its Amazon S3 buckets. The company also needs to validate the integrity of the log file by using a digital signature.

Which solution will meet these requirements?

Answer options

• A. Create an AWS CloudTrail trail with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.
• B. Create a new S3 bucket for S3 server access logs. Configure the existing S3 buckets to send their S3 server access logs to the new S3 bucket.
• C. Create an Amazon CloudWatch Logs log group. Configure the existing S3 buckets to send their S3 server access logs to the log group.
• D. Create a new S3 bucket for S3 server access logs with log file validation enabled. Enable data events. Specify Amazon S3 as the data event type.

Correct answer: A

Explanation

The correct answer is A because AWS CloudTrail provides the ability to log object-level activity in S3 buckets while also supporting log file validation. The other options do not provide a mechanism for validating log file integrity or do not focus on capturing object-level activity specifically.