Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A financial services company sells its software-as-a-service (SaaS) platform for application compliance to large global banks.The SaaS platform runs on AWS and uses multiple AWS accounts that are managed in an organization in AWS Organizations.The SaaS platform uses many AWS resources globally.For regulatory compliance, all API calls to AWS resources must be audited, tracked for changes, and stored in a durable and secure data store.

Which solution will meet these requirements with the LEAST operational overhead?

Create a new AWS CloudTrail trail. Use an existing Amazon S3 bucket in the organization’s management account to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 bucket.

Create a new AWS CloudTrail trail in each member account of the organization. Create new Amazon S3 buckets to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 buckets.

Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket with versioning turned on to store the logs. Deploy the trail for all accounts in the organization. Enable MFA delete and encryption on the S3 bucket.

Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket to store the logs. Configure Amazon Simple Notification Service (Amazon SNS) to send log-file delivery notifications to an external management system that will track the logs. Enable MFA delete and encryption on the S3 bucket.

Explanations:

While this option creates a new CloudTrail trail and stores logs in an existing S3 bucket, it does not centralize the logging for all accounts in the organization. This could lead to inconsistencies and increased operational overhead as logs from different accounts may need to be managed separately.

Creating a new CloudTrail trail in each member account and separate S3 buckets increases operational overhead significantly. Each member account will require its own configuration and maintenance, complicating the auditing and tracking process. This approach does not meet the requirement of minimizing operational overhead.

This option correctly centralizes logging by creating a new CloudTrail trail in the organization’s management account, which can track API calls across all accounts. Using a single S3 bucket simplifies log management, and enabling MFA delete and encryption enhances security, thus meeting the compliance requirements with the least operational overhead.

While this option centralizes the CloudTrail trail in the management account, it adds unnecessary complexity by introducing an external management system for tracking logs via SNS notifications. This increases operational overhead and is not necessary for compliance, which can be achieved directly through CloudTrail and S3 storage.

2025-10-16

1 Comment

  1. Sean
    Author

    I deduce that the answer is:
    Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket with versioning turned on to store the logs. Deploy the trail for all accounts in the organization. Enable MFA delete and encryption on the S3 bucket.

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve + 17 =