Answer-first summary for fast verification
Answer: Set up a new AWS CloudTrail trail within the organization's management account. Create a new Amazon S3 bucket with versioning enabled for log storage. Extend the trail deployment to encompass all accounts within the organization. Activate MFA delete and encryption features on the S3 bucket.
The correct answer is C. This option recommends creating a new AWS CloudTrail trail in the organization's management account and using a new Amazon S3 bucket with versioning enabled for log storage. This setup ensures that all API calls across the organization are audited and securely stored in a single, version-controlled S3 bucket. Additionally, it minimizes operational overhead by centralizing log storage and management. Enabling MFA delete and encryption on the S3 bucket further enhances the security and durability of the logs. Option A uses an existing S3 bucket, which is not as secure as creating a new dedicated bucket. Option B requires creating multiple trails and buckets across accounts, increasing operational overhead. Option D suggests using SNS for external management, adding unnecessary complexity without providing additional compliance benefits.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A financial services company offers a software-as-a-service (SaaS) platform for application compliance to large global banks. This SaaS platform operates on AWS and utilizes multiple AWS accounts managed within an AWS Organizations setup. The platform leverages numerous AWS resources across various regions. To comply with regulatory standards, all API calls made to these AWS resources must be audited, tracked for any modifications, and securely stored in a durable data repository. What is the most efficient solution that minimizes operational overhead while fulfilling these compliance requirements?
A
Establish a new AWS CloudTrail trail. Utilize an existing Amazon S3 bucket within the organization's management account for log storage. Extend the trail deployment across all AWS Regions. Activate MFA delete and encryption features on the S3 bucket.
B
Initiate a new AWS CloudTrail trail in every member account of the organization. Create distinct Amazon S3 buckets for log storage in each account. Extend the trail deployment across all AWS Regions. Activate MFA delete and encryption features on the S3 buckets.
C
Set up a new AWS CloudTrail trail within the organization's management account. Create a new Amazon S3 bucket with versioning enabled for log storage. Extend the trail deployment to encompass all accounts within the organization. Activate MFA delete and encryption features on the S3 bucket.
D
Deploy a new AWS CloudTrail trail within the organization's management account. Create a new Amazon S3 bucket for log storage. Configure Amazon Simple Notification Service (Amazon SNS) to dispatch log-file delivery notifications to an external management system responsible for tracking the logs. Activate MFA delete and encryption features on the S3 bucket.