Which combination of actions will meet these requirements?
(Choose two.)
Configure CodePipeline to write actions to Amazon CloudWatch Logs.
Configure CodePipeline to write actions to an Amazon S3 bucket at the end of each pipeline stage.
Create an AWS CloudTrail trail to deliver logs to Amazon S3.
Create a CodePipeline custom action to invoke an AWS Lambda function for approval. Create a policy that gives the security team access to manage CodePipeline custom actions.
Create a CodePipeline manual approval action before the deployment step. Create a policy that grants the security team access to approve manual approval stages.
Explanations:
Configuring CodePipeline to write actions to CloudWatch Logs does not meet the requirement for recording a formal approval or retention, as CloudWatch Logs are not ideal for retention and approval tracking.
Writing actions to an S3 bucket after each stage is insufficient for retaining formal approval records specifically tied to a security team sign-off on production changes.
CloudTrail logs provide an auditable, retained record of API actions, including CodePipeline approvals, when delivered to S3, meeting the requirement for recording and retaining approvals.
A Lambda custom action does not inherently provide an approval mechanism tied to the security team or retention requirements, making it unsuitable for formal approval tracking.
A manual approval action in CodePipeline allows security team members to sign off on changes before deployment, and can be restricted with policies for only the security team to approve, fulfilling the requirement for a recorded approval.
I chart that the answer is:
Create an AWS CloudTrail trail to deliver logs to Amazon S3.