AWS Certified SysOps Administrator – Associate — Question 457

A company stores critical data in Amazon S3 buckets. A SysOps administrator must build a solution to record all S3 API activity.
Which action will meet this requirement?

Answer options

• A. Configure S3 bucket metrics to record object access logs.
• B. Create an AWS CloudTrail trail to log data events for all S3 objects.
• C. Enable S3 server access logging for each S3 bucket.
• D. Use AWS IAM Access Analyzer for Amazon S3 to store object access logs.

Correct answer: B

Explanation

AWS CloudTrail data events record S3 object-level API operations (such as GetObject and PutObject), which fulfills the requirement to track all S3 API activity. S3 server access logging (Option C) tracks requests but does not offer the same integration and auditing capabilities as CloudTrail. S3 bucket metrics (Option A) and AWS IAM Access Analyzer (Option D) are used for performance monitoring and access analysis respectively, not for logging API activity.