How can a SysOps administrator achieve this is with the LEAST amount of operational overhead?
Store AWS CloudTrail logs in Amazon S3 in each account. Create a new account to store compliance data and replicate the objects into the newly created account.
Store AWS CloudTrail logs in Amazon S3 in each account. Create an IAM user with read-only access to the CloudTrail logs.
From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.
Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs.
Explanations:
Storing logs in S3 and replicating them across accounts adds complexity, requires manual management of replication, and is not the most efficient way to manage log access securely.
While storing logs in S3 and providing read-only access works, it doesn’t address restricting modification access to logs, which is a key part of the requirements.
Creating an organization trail from the master account ensures logs are centralized and immutable. Using IAM roles to restrict access provides secure, read-only access without the ability to modify the logs. This solution minimizes operational overhead.
Using CloudFormation stack sets for creating trails in every account is a more complex solution and doesn’t directly address the need for secure, centralized log access with restricted modification permissions.
I deduce that the answer is:
From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.