Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?
Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
Enable log file integrity validation and use digest files to verify the hash value of the log file.
Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
Enable S3 server access logging to track requests made to the log bucket for security audits.
Explanations:
Streaming CloudTrail logs to CloudWatch Logs does not directly ensure log file integrity. It only provides an alternative storage and monitoring method.
Enabling log file integrity validation and using digest files allows the administrator to verify that the logs have not been tampered with after delivery to S3.
Replicating the log bucket across regions and encrypting with S3 managed keys helps with availability and security but does not ensure integrity of the log files.
Enabling S3 server access logging provides audit trails for access requests but does not ensure the integrity or modification status of the CloudTrail logs themselves.
As far as I can tell, the answer is:
Enable log file integrity validation and use digest files to verify the hash value of the log file.
I classify that the answer is:
Enable log file integrity validation and use digest files to verify the hash value of the log file.