AWS Certified SysOps Administrator – Associate (legacy) — Question 47

A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account's Amazon S3 bucket.
Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after being delivered to the S3 bucket.

Answer options

• A. Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
• B. Enable log file integrity validation and use digest files to verify the hash value of the log file.
• C. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
• D. Enable S3 server access logging to track requests made to the log bucket for security audits.

Correct answer: B

Explanation

The correct answer is B because enabling log file integrity validation allows the administrator to use digest files to verify the hash value of the logs, ensuring that they have not been altered. Option A does not provide a verification mechanism for the original logs, while option C focuses on replication and encryption, which do not confirm integrity. Option D tracks access but does not prevent or verify tampering of log files.