AWS Certified Security – Specialty — Question 125

A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a Security Engineer resolve these issues?

Answer options

• A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
• B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
• C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
• D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.

Correct answer: D

Explanation

The correct answer is D because creating an AWS CloudTrail trail allows you to store audit logs in Amazon S3, thus addressing the issue of log retention beyond 90 days. Additionally, configuring an AWS Config rule ensures that any unauthorized changes to IAM policies are detected and reported. Options A, B, and C do not adequately address both issues regarding log retention and unauthorized changes.