AWS Certified Solutions Architect – Professional — Question 710

A company has a new security policy. The policy requires the company to log any event that retrieves data from Amazon S3 buckets. The company must save these audit logs in a dedicated S3 bucket.
The company created the audit logs S3 bucket in an AWS account that is designated for centralized logging. The S3 bucket has a bucket policy that allows write- only cross-account access.
A solutions architect must ensure that all S3 object-level access is being logged for current S3 buckets and future S3 buckets.
Which solution will meet these requirements?

Answer options

• A. Enable server access logging for all current S3 buckets. Use the audit logs S3 bucket as a destination for audit logs.
• B. Enable replication between all current S3 buckets and the audit logs S3 bucket. Enable S3 Versioning in the audit logs S3 bucket.
• C. Configure S3 Event Notifications for all current S3 buckets to invoke an AWS Lambda function every time objects are accessed. Store Lambda logs in the audit logs S3 bucket.
• D. Enable AWS CloudTrail, and use the audit logs S3 bucket to store logs. Enable data event logging for S3 event sources, current S3 buckets, and future S3 buckets.

Correct answer: D

Explanation

AWS CloudTrail data events provide a scalable way to track object-level S3 actions (such as data retrieval) across both existing and future S3 buckets automatically. Storing these logs in a centralized, cross-account S3 bucket perfectly aligns with the company's security requirements. Other methods like server access logging or Lambda notifications require manual configuration for each new bucket and do not natively scale as effectively as CloudTrail.