Which of these solutions would you recommend?

By:
In: SAP-C01
Tagged:
With: 1 Comment
You currently operate a web application.In the AWS US-East region.The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database.Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM And RDS resources.The solution must ensure the integrity and confidentiality of your log data.

Which of these solutions would you recommend?

Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Create a new CloudTrail with one new S3 bucket to store the logs Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket mat stores your logs.

Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLs and Multi Factor Authentication (MFA). Delete on the S3 bucket that stores your logs.

Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Explanations:

This option creates a new CloudTrail with an S3 bucket for logs, enabling tracking of changes to EC2, IAM, and RDS resources. The global services option ensures logs from global services are captured. The use of IAM roles, S3 bucket policies, and MFA Delete enhances security and integrity of logs, preventing unauthorized access and deletions.

While this option successfully creates a new CloudTrail and an S3 bucket, it lacks the MFA Delete feature for added security. Additionally, using SNS for notifications, while helpful for monitoring, does not directly contribute to the integrity or confidentiality of the log data itself, making it less reliable for compliance needs.

This option uses an existing S3 bucket, which may compromise the isolation of logs and could lead to security issues if the bucket has been used for other purposes. While MFA Delete is included, S3 ACLs are less secure compared to bucket policies for managing access and could lead to improper access configurations.

This option introduces unnecessary complexity by creating three separate CloudTrail trails and S3 buckets. While separation of logs can be beneficial, it complicates management and increases the potential for misconfiguration. Additionally, it does not provide a clear improvement in security or integrity compared to using a single trail and bucket.

2025-09-29

1 Comment

  1. Brittany
    Author

    I compute that the answer is:
    Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × three =