AWS Certified Security – Specialty — Question 157

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected.
What initial actions should be taken to allow delivery of CloudTrail events to S3? (Choose two.)

Answer options

• A. Verify that the S3 bucket policy allow CloudTrail to write objects.
• B. Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
• C. Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
• D. Verify that the S3 bucket defined in CloudTrail exists.
• E. Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.

Correct answer: A, D

Explanation

Option A is correct because the S3 bucket policy must explicitly allow CloudTrail to write objects; without this permission, events cannot be delivered. Option D is also correct since CloudTrail needs to reference an existing S3 bucket to successfully send logs. The other options do not address the specific issue of event delivery to S3.