Which solution will meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company has a new security policy.The policy requires the company to log any event that retrieves data from Amazon S3 buckets.The company must save these audit logs in a dedicated S3 bucket.The company created the audit logs S3 bucket in an AWS account that is designated for centralized logging.The S3 bucket has a bucket policy that allows write- only cross-account access.A solutions architect must ensure that all S3 object-level access is being logged for current S3 buckets and future S3 buckets.

Which solution will meet these requirements?

Enable server access logging for all current S3 buckets. Use the audit logs S3 bucket as a destination for audit logs.

Enable replication between all current S3 buckets and the audit logs S3 bucket. Enable S3 Versioning in the audit logs S3 bucket.

Configure S3 Event Notifications for all current S3 buckets to invoke an AWS Lambda function every time objects are accessed. Store Lambda logs in the audit logs S3 bucket.

Enable AWS CloudTrail, and use the audit logs S3 bucket to store logs. Enable data event logging for S3 event sources, current S3 buckets, and future S3 buckets.

Explanations:

Enabling server access logging will only log requests at the S3 bucket level, not object-level access. It is insufficient for the requirement of object-level logging.

S3 replication is used for copying data between buckets, not for logging access. It does not provide audit logs for object-level access as required.

Configuring S3 Event Notifications to invoke a Lambda function on object access is unnecessary and complex. It would not reliably capture all access events.

AWS CloudTrail can log detailed events, including S3 object-level access. Enabling data event logging for S3 ensures all current and future buckets are logged.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × five =