Which solution will meet these requirements?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A company has a private Amazon S3 bucket that contains sensitive information.A SysOps administrator needs to keep logs of the IP addresses from authentication failures that result from attempts to access objects in the bucket.The logs must be stored so that they cannot be overwritten or deleted for 90 days.

Which solution will meet these requirements?

Create an AWS CloudTrail trail. Configure the log files to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days.

Create an AWS CloudTrail trail. Configure the log files to be saved to a different S3 bucket. Turn on CloudTrail log file integrity validation for 90 days.

Turn on access logging for the S3 bucket. Configure the access logs to be saved to Amazon CloudWatch Logs. Configure the log group with a retention period of 90 days.

Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days.

Explanations:

AWS CloudTrail captures AWS account activity and API usage but does not specifically log authentication failures for S3 bucket access attempts. Saving to CloudWatch Logs with a 90-day retention period does not fulfill the requirement of preventing overwriting or deletion of logs for 90 days.

While AWS CloudTrail can log API calls, including access attempts to S3, simply saving the logs to a different S3 bucket does not ensure the logs are protected from deletion or overwriting for 90 days. CloudTrail log file integrity validation is not a retention mechanism.

Access logging for S3 buckets provides information about requests to access objects in the bucket, but saving these logs to CloudWatch Logs with a retention period does not prevent deletion or modification of logs, which does not meet the requirement for immutability.

Enabling access logging for the S3 bucket allows tracking of access requests, while saving logs to a second S3 bucket with S3 Object Lock configured ensures that logs cannot be deleted or overwritten for 90 days, fulfilling the requirement for log retention and protection.

2025-10-08

1 Comment

  1. Kimberly
    Author

    I conclude that the answer is:
    Turn on access logging for the S3 bucket. Configure the access logs to be saved in a second S3 bucket. Turn on S3 Object Lock on the second S3 bucket, and configure a default retention period of 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 3 =