AWS Certified SysOps Administrator – Associate (legacy) — Question 876

A company's Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team's AWS account for monitoring.
How can this be accomplished?

Answer options

• A. Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team.
• B. Create an event bus in the Security team's account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team's event bus as the target.
• C. Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.
• D. Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.

Correct answer: C

Explanation

AWS CloudTrail records all API calls for AWS KMS, capturing key deletion and rotation events automatically. By configuring CloudTrail in each production account to deliver logs to a centralized Amazon S3 bucket managed by the Security team, you establish a secure, continuous, and highly reliable audit trail. Other methods, such as scheduled Lambda functions or AWS Config rules, introduce unnecessary complexity and latency compared to native CloudTrail log aggregation.