AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A company operates multiple AWS accounts within an AWS Organizations setup, including a dedicated security account. The company requires that all AWS account activities across these member accounts be logged and reported to the dedicated security account. Additionally, these logs must be securely stored within the dedicated security account for a retention period of 2 years, with no possibility of changes or deletions. Which two steps, when taken together, would meet these requirements with the least operational overhead?
A company operates multiple AWS accounts within an AWS Organizations setup, including a dedicated security account. The company requires that all AWS account activities across these member accounts be logged and reported to the dedicated security account. Additionally, these logs must be securely stored within the dedicated security account for a retention period of 2 years, with no possibility of changes or deletions. Which two steps, when taken together, would meet these requirements with the least operational overhead?
Explanation:
The correct answers are A and D. Option A ensures that the logs are stored securely and cannot be modified or deleted for a retention period of 2 years by using S3 Object Lock in compliance mode. This meets the requirement for a secure storage location where logs can be retained for the specified period without risk of alteration or deletion. Option D involves setting up an AWS CloudTrail trail for the entire organization, which automates the process of logging account activities across all member accounts and delivers these logs to the S3 bucket in the dedicated security account. This setup reduces operational overhead by centralizing the log delivery process, negating the need for individual configurations in each account.