An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)
A.
Turn on AWS CloudTrail in each AWS account.
B.
Turn on CloudTrail in only the account that will be storing the logs.
C.
Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.
D.
Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
E.
Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.
A & E.
Be in mind question is not talking about "Creating a trail for an organization".
For "Receiving CloudTrail log files from multiple accounts" bellow the procedure:
1-Turn on CloudTrail in the account where the destination bucket will belong (111111111111 in this example). Do not turn on CloudTrail in any other accounts yet.
2- Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail.
3 - Turn on CloudTrail in the other accounts you want (222222222222, 333333333333, and 444444444444 in this example). Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 1 (111111111111 in this example).
AE are the correct answers.
Please note that it is not mentioned that all these accounts are in the same organization in AWS Organization, therefore cannot create an organization trail in CloudTrail of the management/delegated account (B).
An organization wants to log all AWS API calls made within all of its AWS accounts.
Even if not speaking about a trail for an organization, above sentence is enough reason to believe that its what AWS is referring to.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
To meet these requirements in the most secure manner, you should turn on AWS CloudTrail in each AWS account and store the logs in a central place for analysis. AE
If I have to choose, my answers will be A and E. However, I am having concerned whereby Cloudtrail is enabled by default so is A necessary? Understand that B will be a good answer if they are in an AWS organisation.
A. Turn on AWS CloudTrail in each AWS account.
E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.
B, E is the correct answer here.
If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the management account and apply it to an organization, making it an organization trail. Organization trails log events for the management account and all member accounts in the organization.
Its B..E.. But this is tricky, because you do turn on cloud trail in the other accounts but at the end.... ://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html
Read the article you cited. It says specifically to turn on CloudTrail in the other accounts and have them send logs to the centralized account.
Answer: A,E
Agree it is B and E.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
This is because the nature of organization cloud trail means that if you have new member account joining the organization, the management account will automatically include its trail in the centralized trail. Hence, only the management account needs to have CloudTrail enabled.
Correction: D, E
A,B - CloudTrail is enabled upon account creation.
C - Best practice is to use bucket policy. S3 ACL is legacy.
D - "When you create an organization trail in the console, or when you enable CloudTrail as a trusted service in the Organizations, this creates a service-linked role to perform logging tasks in your organization's member accounts. This role is named AWSServiceRoleForCloudTrail, and is required for CloudTrail to successfully log events for an organization."
Sorry, final answer A and E.
A - CloudTrail is enabled upon account creation but each account CloudTrail still need to be "turned-on" to specify which s3 the trail goes to.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/turn-on-cloudtrail-in-additional-accounts.html
D is incorrect because the service-linked role is automatically created.
Lol looks like you changed answers quite a bit. Its worth noting that its just an organization, not AWS Organizations, else B would be correct. But I do believe its A E
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
sanjaym
Highly Voted 3 years, 8 months agodfranco76
3 years, 7 months agoHungdv
Highly Voted 3 years, 8 months agosashsz
3 years, 8 months agosashsz
3 years, 8 months agoRaphaello
Most Recent 1 year, 4 months agoraj0011
1 year, 7 months agoTofu13
2 years, 1 month agoRaphaello
1 year, 4 months agoITGURU51
2 years, 2 months agoNikhil0222
2 years, 2 months agoKezuko
2 years, 2 months agosapien45
2 years, 11 months agoMoreOps
3 years, 2 months agoRadhaghosh
3 years, 5 months agoChinkSantana
3 years, 8 months agoscuzzy2010
3 years, 8 months agof4bi4n
3 years, 2 months agoskipbaylessfor3
3 years, 8 months agocldy
3 years, 8 months agoHudda
3 years, 9 months agoDayQuil
3 years, 9 months agoJAWS1600
3 years, 9 months agoAyusef
3 years, 9 months agoEricR17
3 years, 8 months agoHuy
3 years, 8 months agoDaniel76
3 years, 8 months agoDaniel76
3 years, 8 months agoDaniel76
3 years, 8 months agoskipbaylessfor3
3 years, 8 months ago