Exam AWS Certified Security - Specialty topic 1 question 125 discussion

B for me

B A- You need to validate digest file to detect if any integrity issue. It does not mark file as unavailable. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-cli.html C- Since SSE-KMS is already given, there is no way the bucket is set as SSE-S3. D- S3 bucket for CloudTrail can be specified with any prefix without "CloudTrail/" https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

User won't be able to GET the object if permission does now allow decrypt. User will get access denied, not getting "unreadable" file!

Since the security engineer is unable to view the files, he most likely doesn't have the right permissions to decrypt the data. B

B for me as well

I go on B as well.

B for me

I did not know this but I answered B, because the other answers are unreasonable. The files can be placed anywhere and the files should be allowed for inspection if the failed validation.

B Duplicated with New Q19

B is right answer, same question repeated again.

Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

B, for sure.

I guess the questions are repeated from TOPIC1. KMS-managed keys (SSE-KMS) - Always digest files arent encrypted. so they are always readable.. but s3 encrypted data is not readable as THE POLICY ASSOCIATED TO THE IAM USER DOESNT PERMIT HIM TO DECRYPT THE CONTENT !!

I think it's D Digest files located in same Bucket and if they are readable so KMS permission is ok.

b for me as well

B. D would be a good fit if it mentioned that access was denied, but it doesnt so presume that the object container can be opened but the objects inside cant be decrypted thus cant be read