AWS Certified SysOps Administrator – Associate — Question 405

A company has a private Amazon S3 bucket that contains sensitive information. A SysOps administrator needs to keep logs of the IP addresses from authentication failures that result from attempts to access objects in the bucket. The logs must be stored so that they cannot be overwritten or deleted for 90 days.
Which solution will meet these requirements?

Answer options

• A. Create an AWS CloudTrail trail. Configure the log files to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days.
• B. Create an AWS CloudTrail trail. Configure the log files to be saved to a different S3 bucket. Turn on CloudTrail log file integrity validation for 90 days.
• C. Turn on access logging for the S3 bucket. Configure the access logs to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days.
• D. Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days.

Correct answer: D

Explanation

Amazon S3 server access logging captures detailed records of requests, including the requester's IP address and authorization failures. Storing these logs in a secondary bucket with S3 Object Lock enabled is the only solution that guarantees the logs cannot be deleted or overwritten during the 90-day retention window. CloudWatch Logs retention settings determine when logs are automatically purged, but they do not prevent authorized users from manually deleting the logs before the retention period expires.