AWS Certified Solutions Architect – Professional (SAP-C02) — Question 193

A company is storing sensitive data in an Amazon S3 bucket. The company must log all activities for objects in the S3 bucket and must keep the logs for 5 years. The company's security team also must receive an email notification every time there is an attempt to delete data in the S3 bucket.

Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)

Answer options

• A. Configure AWS CloudTrail to log S3 data events.
• B. Configure S3 server access logging for the S3 bucket.
• C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES).
• D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
• E. Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering.
• F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

Correct answer: A, D, F

Explanation

The correct steps are A, D, and F because AWS CloudTrail logs S3 data events, which fulfills the logging requirement. Sending deletion events to EventBridge and then to SNS ensures that security teams receive notifications efficiently. Creating a separate S3 bucket for logs with a Lifecycle policy allows for cost-effective long-term storage. The other options do not fully meet the logging and notification needs as effectively or are not the most economical.