A company operates multiple AWS accounts within an AWS Organizations setup, including a dedicated security account. The company requires that all AWS account activities across these member accounts be logged and reported to the dedicated security account. Additionally, these logs must be securely stored within the dedicated security account for a retention period of 2 years, with no possibility of changes or deletions. Which two steps, when taken together, would meet these requirements with the least operational overhead?

Exam-Like

In the dedicated security account, create an Amazon S3 bucket with S3 Object Lock configured in compliance mode and set a retention period of 2 years. Adjust the bucket policy to permit the organization's management account to write logs to the S3 bucket.

25.0%

In the dedicated security account, create an Amazon S3 bucket with S3 Object Lock configured in compliance mode and set a retention period of 2 years. Adjust the bucket policy to allow all member accounts within the organization to write logs to the S3 bucket.

12.5%

In the dedicated security account, create an Amazon S3 bucket with an S3 Lifecycle configuration that expires objects after 2 years. Modify the bucket policy to allow all member accounts within the organization to write logs to the S3 bucket.

16.7%

Set up an AWS CloudTrail trail for the entire organization, configuring it to deliver logs to an Amazon S3 bucket located in the dedicated security account.

37.5%

Enable AWS CloudTrail logging in each individual account, directing the logs to an Amazon S3 bucket in the organization's management account. Use AWS Lambda and Amazon Kinesis Data Firehose to forward these logs to the S3 bucket in the dedicated security account.

8.3%

AWS Certified Security - Specialty

Comments

Get started today