A company uses AWS CloudTrail to log all API activity in its AWS account. The security team needs to ensure that the CloudTrail log files have not been tampered with after they are delivered to Amazon S3. How can this be achieved?

Answer options:

Enable Amazon S3 Object Lock on the destination bucket.

Enable CloudTrail log file integrity validation.

Encrypt the CloudTrail logs using AWS KMS.

Use Amazon Macie to monitor the S3 bucket for unauthorized changes.

How to approach this question

Look for the specific CloudTrail feature designed for this exact purpose: log file integrity validation.

Full Answer

B.Enable CloudTrail log file integrity validation.✓ Correct

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.

Common mistakes

Choosing S3 Object Lock. While good for compliance, the question specifically asks how to ensure/verify they haven't been tampered with, which is the exact use case for log file integrity validation.

Question 12 All questions Question 14

Practice the full AWS SAA-C03 Practice Exam 1

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02A solutions architect is designing an application that will run on Amazon EC2 instances. The appl...Easy Q03A company wants to implement a federated identity solution for its employees to access the AWS Ma...Medium Q04A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The app...Hard Q05A company is hosting a web application on Amazon EC2 instances. The application connects to an Am...Medium

View all 65 questions →