AWS Certified Solutions Architect – Associate (SAA-C02) — Question 241

The financial application at a company stores monthly reports in an Amazon S3 bucket. The vice president of finance has mandated that all access to these reports be logged and that any modifications to the log files be detected.
Which actions can a solutions architect take to meet these requirements?

Answer options

• A. Use S3 server access logging on the bucket that houses the reports with the read and write data events and log file validation options enabled.
• B. Use S3 server access logging on the bucket that houses the reports with the read and write management events and log file validation options enabled.
• C. Use AWS CloudTrail to create a new trail. Configure the trail to log read and write data events on the S3 bucket that houses the reports. Log these events to a new bucket, and enable log file validation.
• D. Use AWS CloudTrail to create a new trail. Configure the trail to log read and write management events on the S3 bucket that houses the reports. Log these events to a new bucket, and enable log file validation.

Correct answer: C

Explanation

The correct answer is C because AWS CloudTrail is specifically designed for logging API calls and events, which includes the ability to log read and write data events for S3 buckets. Options A and B utilize S3 server access logging, which does not capture all necessary operations for compliance purposes. Option D, while using CloudTrail, focuses on management events rather than data events, which are required for access logging in this scenario.