Exam AWS Certified Security - Specialty topic 1 question 489 discussion

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html#session-manager-logging-cloudwatch-logs C would not be encrypted.

AWS Systems Manager Session Manager: It allows secure and controlled access to EC2 instances without the need for opening inbound ports or managing SSH keys. The security engineer can establish a secure session with the EC2 instances using the Session Manager without exposing them to the public internet. Amazon CloudWatch logging: By configuring CloudWatch logging, the security engineer can monitor and capture session activity logs. This includes commands executed, input/output streams, and metadata associated with the session. Upload session logs option: Selecting the "upload session logs" option ensures that the session activity logs are captured and stored in CloudWatch Logs. Encrypted CloudWatch Logs log groups: By allowing only encrypted CloudWatch Logs log groups, the security engineer ensures that the session activity logs are encrypted at rest, providing an additional layer of security for the stored logs.

D is the correct answer.

Big thanks to @6_8ftwin To log session data using Amazon CloudWatch Logs (console) Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/ In the navigation pane, choose Session Manager. Choose the Preferences tab, and then choose Edit. Select the check box next to Enable under CloudWatch logging. Choose the """Upload session logs""" option. (Recommended) Select the check box next to """Allow only encrypted CloudWatch log groups""". With this option turned on, log data is encrypted using the server-side encryption key specified for the log group.

C. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.