Question 35
Domain 6: Security and ComplianceA company hosts an application in its AWS account. The application uses an Amazon S3 bucket to store objects that contain sensitive information. The company needs to capture object-level S3 API calls, including calls that are rejected because the calls were made by using credentials that are not valid. Which solution will meet these requirements?
Correct answer: A
Explanation
AWS CloudTrail data events record object-level S3 API activity, and CloudTrail can log both successful and failed requests, including those made with invalid credentials. Enabling S3 data events on a trail captures the bucket/object operations, and sending the trail to CloudWatch provides centralized monitoring and alerting for those API calls.
Why each option is right or wrong
A. Create an AWS CloudTrail trail in the account. Enable S3 data events logging. Configure the trail to log to Amazon CloudWatch.
AWS CloudTrail data events are the only CloudTrail event type that records Amazon S3 object-level API activity, as opposed to management events, which do not include object access. Under the CloudTrail event model, data events can capture both successful and failed API calls, including requests rejected because the credentials were invalid, and S3 data events are billed separately at $0.10 per 100,000 events. Configuring the trail to deliver to Amazon CloudWatch allows those logged events to be centralized and monitored in near real time.
B. Create a new S3 bucket. Configure access logging on the application's S3 bucket. Deliver the access logs to the new S3 bucket.
S3 server access logging records bucket access logs, not full CloudTrail-style object API audit events.
C. Configure Amazon GuardDuty with S3 protection enabled for the account. Create an Amazon EventBridge rule that matches findings that are associated with the S3 bucket. Configure the rule to use an Amazon Simple Queue Service (Amazon SQS) queue as the target.
GuardDuty detects suspicious activity and findings; it does not serve as the primary raw API call log.
D. Create an AWS CloudTrail trail and a new S3 bucket in the account. Configure the trail to log to the S3 new bucket.
CloudTrail without S3 data events misses the required object-level S3 API activity.