AWS Certified Security – Specialty — Question 134

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.
What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

Answer options

• A. Turn on AWS CloudTrail in each AWS account.
• B. Turn on CloudTrail in only the account that will be storing the logs.
• C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
• D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
• E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.

Correct answer: A, E

Explanation

Enabling AWS CloudTrail in each AWS account (Option A) is essential for capturing API calls across the organization. Updating the bucket policy (Option E) ensures that logs from all accounts can be stored securely in the designated bucket, whereas modifying the bucket ACL (Option C) is less secure and does not provide the same level of control as a bucket policy.