What is the MOST operationally efficient solution that meets these requirements?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function when a new file is delivered. Configure the Lambda function to compute an MD5 hash check on the file and store the result in an Amazon DynamoDB table. The security team can use the values that are stored in DynamoDB to verify the integrity of the delivered files.
Create an AWS Lambda function that is invoked each time a new file is delivered to the CloudTrail bucket. Configure the Lambda function to compute an MD5 hash check on the file and store the result as a tag in an Amazon 53 object. The security team can use the information in the tag to verify the integrity of the delivered files.
Enable the CloudTrail file integrity feature on an Amazon S3 bucket. Create an IAM policy that grants the security team access to the file integrity logs that are stored in the S3 bucket.
Enable the CloudTrail file integrity feature on the trail. The security team can use the digest file that is created by CloudTrail to verify the integrity of the delivered files.
Explanations:
This option adds operational overhead by requiring the setup of a custom solution with EventBridge, Lambda, and DynamoDB, which is unnecessary when a built-in integrity feature is available in CloudTrail.
Using an MD5 hash with a custom Lambda function and S3 tagging for integrity checks is inefficient and less secure compared to the native CloudTrail file integrity feature, which provides automated digest files.
Although this enables the CloudTrail file integrity feature, it incorrectly suggests creating a separate IAM policy for accessing integrity logs, which is unnecessary. The digest file produced by CloudTrail is accessible without extra policies.
Enabling the CloudTrail file integrity feature on the trail is the most efficient and secure solution, as it automatically generates digest files to verify log integrity without requiring additional custom setups.