AWS Certified Security – Specialty — Question 13

A company has multiple production AWS accounts. Each account has AWS CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.
Which steps should be taken to troubleshoot the issue? (Choose three.)

Answer options

• A. Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.
• B. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs.
• C. Create a new CloudTrail configuration in the account, and configure it to log to the account's S3 bucket.
• D. Confirm in the CloudTrail Console that each trail is active and healthy.
• E. Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.
• F. Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Correct answer: B, D, F

Explanation

Option B is correct because the S3 bucket policy must allow the production accounts to write logs to it. Option D is important to ensure that the trails are not disabled or unhealthy, which could prevent logging. Option F is necessary to confirm that the S3 bucket name is correctly specified, as an incorrect name would lead to logs not being delivered. The other options do not address these critical checks.