ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 729 discussion

Exam question from Amazon's AWS-SysOps
Question #: 729
Topic #: 1
[All AWS-SysOps Questions]

A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket.
Which practices will ensure that the log files are available and unaltered? (Choose two.)

  • A. Enable the CloudTrail log file integrity check in AWS Config Rules.
  • B. Use CloudWatch Events to scan log files hourly.
  • C. Enable CloudTrail log file integrity validation.
  • D. Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
  • E. Implement a DENY ALL bucket policy on the CloudTrail bucket.
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time. CloudTrail log file integrity validation uses industry standard algorithms: SHA-256 for hashing and SHA-256 with
RSA for digital signing. This makes it computationally unfeasible to modify, delete or forge CloudTrail log files without detection. T
Configuring multi-factor authentication (MFA) ensures that any attempt to change the versioning state of your bucket or permanently delete an object version requires additional authentication. This helps prevent any operation that could compromise the integrity of your log files, even if a user acquires the password of an IAM user that has permissions to permanently delete Amazon S3 objects.
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
by allsitesmember at Aug. 5, 2020, noon
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mrphuongbn
Highly Voted 8 months, 2 weeks ago
repeated. C & D
upvoted 6 times
...
TroyMcLure
Most Recent 7 months, 3 weeks ago
Correct Answer: C & D
upvoted 1 times
...
abhishek_m_86
8 months, 1 week ago
C. Enable CloudTrail log file integrity validation. E. Implement a DENY ALL bucket policy on the CloudTrail bucket. Seem correct AS D simply means MFA is enabled by he question says employee purposely wants to delete the bucket so MFA wont impact
upvoted 2 times
chalosca
7 months, 4 weeks ago
If you implement a DENY ALL, the CloudTrail itself won't be able to write the log data on the bucket. We need to implement LEAST PROVILEDGE but not DENY ALL This link gives the answer as C and E also. https://docs.amazonaws.cn/en_us/awscloudtrail/latest/userguide/best-practices-security.html
upvoted 2 times
...
...
jackdryan
8 months, 1 week ago
I'll go with C,D
upvoted 1 times
...
KhatriRocks
8 months, 1 week ago
CD, :-)
upvoted 1 times
...
allsitesmember
8 months, 3 weeks ago
repeated.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel