Which solution will meet these requirements with the LEAST operational overhead?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A financial services company sells its software-as-a-service (SaaS) platform for application compliance to large global banks.The SaaS platform runs on AWS and uses multiple AWS accounts that are managed in an organization in AWS Organizations.The SaaS platform uses many AWS resources globally.For regulatory compliance, all API calls to AWS resources must be audited, tracked for changes, and stored in a durable and secure data store.

Which solution will meet these requirements with the LEAST operational overhead?

Create a new AWS CloudTrail trail. Use an existing Amazon S3 bucket in the organization’s management account to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 bucket.

Create a new AWS CloudTrail trail in each member account of the organization. Create new Amazon S3 buckets to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 buckets.

Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket with versioning turned on to store the logs. Deploy the trail for all accounts in the organization. Enable MFA delete and encryption on the S3 bucket.

Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket to store the logs. Configure Amazon Simple Notification Service (Amazon SNS) to send log-file delivery notifications to an external management system that will track the logs. Enable MFA delete and encryption on the S3 bucket.

Explanations:

This option only creates a CloudTrail trail in the management account without leveraging AWS Organizations to consolidate logs across multiple accounts. While it stores logs in a centralized S3 bucket, it does not scale well across all member accounts, requiring additional configuration to ensure compliance.

This option requires creating a CloudTrail trail in each member account, which increases operational overhead. Each account having its own S3 bucket for logs can complicate management and does not efficiently utilize centralized logging capabilities provided by AWS Organizations.

This option creates a CloudTrail trail in the organization’s management account and deploys it across all member accounts, ensuring centralized logging with minimal operational overhead. By using a single S3 bucket with versioning, it meets the durability and security requirements for regulatory compliance.

While this option sets up a CloudTrail trail in the management account and utilizes an S3 bucket for logs, the added complexity of integrating with an external management system for log tracking introduces operational overhead that could be avoided. Centralized logging within AWS is more efficient.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + 7 =