AWS Certified Security – Specialty — Question 59

Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?

Answer options

• A. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
• B. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
• C. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
• D. Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

Correct answer: C

Explanation

The correct answer is C because configuring CloudTrail to use server-side encryption with KMS-managed keys allows for seamless and automated encryption of logs with a CMK. Option A is inefficient as it requires manual encryption for each log entry. Option B does not utilize KMS and relies on S3-managed keys, which may not meet specific security requirements. Option D does not directly address the automation of log encryption.