AWS Certified SysOps Administrator – Associate (legacy) — Question 846

A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket.
Which practices will ensure that the log files are available and unaltered? (Choose two.)

Answer options

• A. Enable the CloudTrail log file integrity check in AWS Config Rules.
• B. Use CloudWatch Events to scan log files hourly.
• C. Enable CloudTrail log file integrity validation.
• D. Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
• E. Implement a DENY ALL bucket policy on the CloudTrail bucket.

Correct answer: C, D

Explanation

Enabling CloudTrail log file integrity validation allows administrators to verify that log files have not been modified or deleted after delivery, using cryptographic hashing. Activating Amazon S3 MFA Delete adds an extra layer of security by requiring multi-factor authentication to delete any objects in the bucket, preventing accidental or malicious removal of logs. Other options, like a DENY ALL bucket policy, would block CloudTrail from writing logs entirely, while AWS Config and CloudWatch Events cannot natively prevent log alteration or deletion.