What approach enables the Administrator to search through the logs MOST efficiently?
Implement a ג€write-onlyג€ CloudTrail event filter to detect any modifications to the AWS account resources.
Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs.
Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.
Enable Amazon S3 event notifications to trigger an AWS Lambda function that sends an email alarm when there are new CloudTrail API entries.
Explanations:
Implementing a “write-only” CloudTrail event filter does not help in searching through existing logs. This option limits visibility and does not provide an efficient means to analyze the already generated logs for suspicious activity.
Amazon Macie is primarily used for discovering and classifying sensitive data within S3 buckets, not for analyzing log files. It does not facilitate efficient search capabilities across the CloudTrail logs, which is necessary for log analysis.
Configuring Amazon Athena allows the Administrator to query the CloudTrail logs stored in S3 using SQL-like queries. This enables efficient searching and analysis of large volumes of log data, making it the most suitable option for log analysis.
Enabling S3 event notifications to trigger a Lambda function for email alerts on new CloudTrail entries does not aid in analyzing existing logs. This approach focuses on real-time notifications rather than querying and examining large volumes of historical log data.
If I’m correct, the answer is:
Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities.