What steps should be taken to meet these requirements in the MOST secure manner?
(Choose two.)
Turn on AWS CloudTrail in each AWS account.
Turn on CloudTrail in only the account that will be storing the logs.
Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.
Explanations:
Turning on AWS CloudTrail in each AWS account is necessary to log all API calls made within those accounts. CloudTrail records API calls across AWS services and enables auditing and monitoring. This ensures that every action taken within each account is captured and can be analyzed centrally.
Turning on CloudTrail only in the account that will be storing the logs will not capture API calls made in other AWS accounts. Each account must have CloudTrail enabled to log its respective API calls, ensuring comprehensive logging across the organization.
Updating the bucket ACL is not recommended for granting cross-account access, as ACLs are less flexible and secure than bucket policies. Instead, using bucket policies is the best practice for managing permissions and ensuring secure access from multiple AWS accounts.
While creating a service-based role for CloudTrail is good practice for granting permissions, it is not necessary for enabling CloudTrail logging itself. CloudTrail can operate with the permissions provided by the IAM roles associated with the accounts, so this option does not directly address the requirement of logging API calls centrally.
Updating the bucket policy of the bucket in the account that will be storing the logs is essential for allowing other accounts to send their CloudTrail logs to this central location. A properly configured bucket policy enables secure access for cross-account logging while adhering to the principle of least privilege.