AWS Certified Solutions Architect – Professional — Question 422
You currently operate a web application. In the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM And RDS resources. The solution must ensure the integrity and confidentiality of your log data.
Which of these solutions would you recommend?
Answer options
- A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.
- B. Create a new CloudTrail with one new S3 bucket to store the logs Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket mat stores your logs.
- C. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLs and Multi Factor Authentication (MFA). Delete on the S3 bucket that stores your logs.
- D. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
Correct answer: A
Explanation
Option A is correct because capturing IAM changes, which are global resources, requires enabling the global services option in CloudTrail. Furthermore, storing these logs in a new S3 bucket secured with IAM roles, S3 bucket policies, and MFA Delete guarantees the highest level of confidentiality and prevents accidental or malicious deletion. Other options are incorrect because they either fail to log global IAM events, rely on S3 ACLs instead of more secure bucket policies, or unnecessarily complicate the architecture by creating separate trails for different API clients.