Which actions should a solutions architect take to protect and secure CloudTrail?
(Choose two.)
Enable CloudTrail log file validation.
Install the CloudTrail Processing Library.
Enable logging of Insights events in CloudTrail.
Enable custom logging from the on-premises resources.
Create an AWS Config rule to monitor whether CloudTrail is configured to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
Explanations:
Enabling CloudTrail log file validation ensures that the integrity of the log files is maintained. This feature allows verification that the log files have not been tampered with, providing an immutable audit log that meets the company’s security requirements.
The CloudTrail Processing Library is used for processing CloudTrail log files but does not provide direct security features for the logs themselves. It is not necessary for protecting or securing CloudTrail logs.
Enabling logging of Insights events in CloudTrail helps in identifying unusual API activities but does not enhance the security or immutability of the audit logs. It primarily focuses on detecting anomalies rather than securing log files.
Custom logging from on-premises resources does not relate directly to the security of CloudTrail logs. While it may provide additional logging capabilities, it does not enhance the security or immutability of CloudTrail logs stored in AWS.
Creating an AWS Config rule to monitor whether CloudTrail is configured to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS) ensures that the logs are encrypted at rest, providing an additional layer of security for compliance auditing and protecting sensitive information.
As I see it, the answer is:
Enable CloudTrail log file validation.