AWS Certified Security – Specialty (SCS-C02) — Question 62

A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs.
Which combination of steps should the security team take? (Choose three.)

Answer options

• A. Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
• B. Compress log files with secure gzip.
• C. Create an Amazon EventBridge rule to notify the security team of any modifications on CloudTrail log files.
• D. Implement least privilege access to the S3 bucket by configuring a bucket policy.
• E. Configure CloudTrail log file integrity validation.
• F. Configure Access Analyzer for S3.

Correct answer: A, D, E

Explanation

The correct steps involve implementing server-side encryption with AWS KMS (A) to protect data, configuring least privilege access via a bucket policy (D) to restrict access, and enabling log file integrity validation (E) to ensure the logs haven't been tampered with. Options B and C, while useful for compression and notifications respectively, do not directly address the requirements of preventing unauthorized access and tampering, and option F pertains to access analysis rather than securing the logs themselves.