Which combination of steps will meet these requirements MOST cost-effectively?
(Choose three.)
Configure AWS CloudTrail to log S3 data events.
Configure S3 server access logging for the S3 bucket.
Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES).
Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering.
Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.
Explanations:
AWS CloudTrail can log S3 data events, including object-level operations like deletions, which is essential for auditing access and changes to sensitive data in S3.
S3 server access logging provides logs for requests made to the S3 bucket, but it does not specifically log object-level operations such as deletes, making it less effective for monitoring deletions.
While Amazon S3 can trigger events, sending object deletion events directly to Amazon SES is not a typical use case. SES is primarily for sending emails, not for receiving S3 events directly.
Configuring S3 to send object deletion events to an EventBridge event bus allows for sophisticated event handling and can trigger notifications via SNS, ensuring the security team is alerted whenever a deletion occurs.
Sending logs to Amazon Timestream is not cost-effective for logging purposes as Timestream is a time-series database, not designed for S3 access logging, and could incur higher costs compared to S3.
Configuring a new S3 bucket to store logs with an S3 Lifecycle policy enables automatic log management and cost savings by transitioning logs to cheaper storage classes after a specified period, aligning with the requirement to keep logs for 5 years.
I figure that the answer is:
Configure AWS CloudTrail to log S3 data events.