AWS Certified Solutions Architect – Associate (SAA-C02) — Question 454

A company wants to migrate its accounting system from an on-premises data center to the AWS Cloud in a single AWS Region. Data security and an immutable audit log are the top priorities. The company must monitor all AWS activities for compliance auditing. The company has enabled AWS CloudTrail but wants to make sure it meets these requirements.
Which actions should a solutions architect take to protect and secure CloudTrail? (Choose two.)

Answer options

• A. Enable CloudTrail log file validation.
• B. Install the CloudTrail Processing Library.
• C. Enable logging of Insights events in CloudTrail.
• D. Enable custom logging from the on-premises resources.
• E. Create an AWS Config rule to monitor whether CloudTrail is configured to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).

Correct answer: A, E

Explanation

Enabling CloudTrail log file validation ensures the immutability of the audit logs by allowing the system to detect if any log files have been modified or deleted after delivery. Additionally, configuring an AWS Config rule to monitor SSE-KMS encryption ensures that the logs are continuously validated for secure, server-side encryption compliance. Other options like CloudTrail Insights or the Processing Library do not contribute directly to the security or immutability of the log files.