A recent security audit found that AWS CloudTrail logs are insufficiently protected from tampering and unauthorized access. Which actions must the Security Engineer take to access these audit findings? (Choose three.)
A.
Ensure CloudTrail log file validation is turned on.
B.
Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage.
C.
Use an S3 bucket with tight access controls that exists in a separate account.
D.
Use Amazon Inspector to monitor the file integrity of CloudTrail log files.
E.
Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
F.
Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS).
A. Ensure CloudTrail log file validation is turned on. - YES
B. Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage. NO - why do you need this here?
C. Use an S3 bucket with tight access controls that exists in a separate account. YES - Security best practice.
D. Use Amazon Inspector to monitor the file integrity of CloudTrail log files. - NO - not needed.
E. Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files.
F. Encrypt the CloudTrail log files with server-side encryption AWS KMS-managed keys (SSE-KMS). - YES
Probably I'm wrong but i guess it is B, C and F. Why do i change answer "A" with "B" .
The question is: "CloudTrail records are not adequately safeguarded against manipulation and unauthorized access" . I guess that "CloudTrail log file validation is" cant avoid log to be manipulated. It will advise that there was tampering but it cant avoid it by itself. Instead sending the logs to a Glacier, customer can safety store them avoiding manipulation. If I'm wrong, please don't let me live in the dark... :)
Please be careful, because in other bank of questions i found the same question but just changing one word: " to have access to these audit findings" with "to have address to these audit findings" obviously it changes significantly the meaning. Ciao
In other words if it is :
- " to have access to these audit findings" : Correct answer : A, C & F.
- " to have address to these audit findings" : Correct answer : B, C & F.
Sincerely I guess that question is wrong, looking at the answer it fits better with " to have address to these audit findings" than with " to have access to these audit findings". Sorry I don't disturb more
AWS best practices to protect CloudTrail logs:
1)Enable CloudTrail log file integrity
2)Log to a dedicated and centralized Amazon S3 bucket
3) Use server-side encryption with AWS KMS managed keys (SSE-KMS)
ACF
Yeah A C F seems correct. Curious as to why E couldn't be correct though... It seems like a very strange solution but technically possible. I guess F is a just more common way of doing it
A, C F. B is not relevant to security which is what the question asks. B is good practice not not relevant, also delete logs outside the retention period to reduce costs.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
farziuser
Highly Voted 3 years, 6 months agodfranco76
3 years, 5 months agodfranco76
3 years, 5 months agodfranco76
3 years, 5 months agodfranco76
3 years, 5 months agoKRtoptech
1 year, 8 months agoPeppaPig
Highly Voted 3 years, 7 months agoRaphaello
Most Recent 1 year, 2 months agoITGURU51
2 years agoTechX
2 years, 8 months agosapien45
2 years, 9 months agoMoreOps
3 years agolotfi50
3 years, 2 months agoRadhaghosh
3 years, 3 months agokiev
3 years, 6 months agonhokicuc
3 years, 6 months agoskipbaylessfor3
3 years, 6 months agodeegadaze1
3 years, 7 months agodeegadaze1
3 years, 6 months agofreddyman
3 years, 7 months agoAwraith
3 years, 7 months agoTester3
3 years, 7 months ago