What initial actions should be taken to allow delivery of CloudTrail events to S3?
(Choose two.)
Verify that the S3 bucket policy allow CloudTrail to write objects.
Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs.
Remove any lifecycle policies on the S3 bucket that are archiving objects to Amazon Glacier.
Verify that the S3 bucket defined in CloudTrail exists.
Verify that the log file prefix defined in CloudTrail exists in the S3 bucket.
Explanations:
The S3 bucket policy must allow CloudTrail to write objects to the bucket. Without proper permissions, CloudTrail cannot deliver events to S3.
The IAM role used by CloudTrail needs permissions to write to the S3 bucket, not CloudWatch Logs. This option is irrelevant for CloudTrail event delivery to S3.
Lifecycle policies that archive objects to Glacier do not prevent CloudTrail from delivering logs to S3. This is not an issue with event delivery.
The S3 bucket defined in CloudTrail must exist. If the bucket does not exist, CloudTrail will not be able to deliver logs.
The log file prefix defined in CloudTrail is not mandatory for successful delivery of events to the S3 bucket. It’s a configurable option for organizing logs but not a blocking factor.
As far as I’m aware, the answer is:
Verify that the S3 bucket policy allow CloudTrail to write objects.