AWS Certified Security – Specialty — Question 195

A company is collecting AWS CloudTrail log data from multiple AWS accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account. After CloudTrail introduced support for AWS Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its AWS accounts.
The company's security engineer created an AWS Organizations trail in the master account, enabled server-side encryption with AWS KMS managed keys (SSE-
KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.
Which factors could cause this issue? (Choose two.)

Answer options

• A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
• B. The CMK key policy does not allow CloudTrail to make GenerateDatakey API calls against the key.
• C. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
• D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.
• E. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for cryptographical operations.

Correct answer: B, D

Explanation

The correct answers are B and D. Option B is correct because the CMK key policy must permit CloudTrail to call the GenerateDatakey API, which is essential for encryption. Option D is also correct as the S3 bucket policy needs to grant permissions for CloudTrail to make PutObject API calls to store logs. The other options do not directly contribute to the issues of logs not being delivered to the S3 bucket.