AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Explanation:

Answer A suggests enabling server access logging for all current S3 buckets and using the audit logs S3 bucket as a destination for audit logs.

Explanation for Answer A:
- Server Access Logging: It is a feature offered by Amazon S3 that provides detailed records for the requests made to your bucket. When you enable server access logging, logs are stored in an S3 bucket and record the operations performed, such as GET, PUT, DELETE, etc.
- Centralized Logging: By configuring the audit logs S3 bucket, already designated for centralized logging, as the destination for these logs, you achieve the objective of centralized auditing. The audit logs bucket is in an account meant for centralized logging and has policies that allow cross-account writing, facilitating the collection of logs from different accounts.
- S3 Bucket Policies: The audit logs bucket is set up with a policy that enables write-only access specifically for logging, ensuring that logs can be added but not altered or deleted, which adheres to compliance and security requirements.
- Future S3 Buckets: While this option primarily mentions current S3 buckets, implementing server access logging policy systematically to all new buckets can be automated through scripts or AWS CloudFormation, ensuring future compliance.

Thus, enabling server access logging and directing these logs to the centralized audit logs bucket meets the security policy requirement to log data retrieval events from S3 buckets. However, this approach may not directly address object-level logging comprehensively for all operations that CloudTrail can provide.

Explanation:

Answer A suggests enabling server access logging for all current S3 buckets and using the audit logs S3 bucket as a destination for audit logs.

Explanation for Answer A:
- Server Access Logging: It is a feature offered by Amazon S3 that provides detailed records for the requests made to your bucket. When you enable server access logging, logs are stored in an S3 bucket and record the operations performed, such as GET, PUT, DELETE, etc.
- Centralized Logging: By configuring the audit logs S3 bucket, already designated for centralized logging, as the destination for these logs, you achieve the objective of centralized auditing. The audit logs bucket is in an account meant for centralized logging and has policies that allow cross-account writing, facilitating the collection of logs from different accounts.
- S3 Bucket Policies: The audit logs bucket is set up with a policy that enables write-only access specifically for logging, ensuring that logs can be added but not altered or deleted, which adheres to compliance and security requirements.
- Future S3 Buckets: While this option primarily mentions current S3 buckets, implementing server access logging policy systematically to all new buckets can be automated through scripts or AWS CloudFormation, ensuring future compliance.

Comments (0)

No comments yet.

A company has a new security policy. The policy requires the company to log any event that retrieves data from Amazon S3 buckets. The company must save these audit logs in a dedicated S3 bucket. The company created the audit logs S3 bucket in an AWS account that is designated for centralized logging. The S3 bucket has a bucket policy that allows write-only cross-account access. A solutions architect must ensure that all S3 object-level access is being logged for current S3 buckets and fture S3 buckets. Which solution will meet these requirements?

Exam-Like

Last updated: March 22, 2026 at 14:03

Enable server access logging for all current S3 buckets Use the audit logs S3 bucket as a destination for audit logs

42.9%

Enable replication between all current S3 buckets and the audit logs S3 bucket Enable S3 Versioning in the audit logs S3 bucket

0.0%