Exam AWS Certified Security - Specialty topic 1 question 242 discussion

Or Sorry, answer is BD -- "Each time CloudTrail puts a log file into your S3 bucket, Amazon S3 sends a GenerateDataKey request to AWS KMS on behalf of CloudTrail. In response to this request, AWS KMS generates a unique data key and then sends Amazon S3 two copies of the data key, one in plaintext and one that is encrypted with the specified CMK."

why not C and D , It is not customer managed key , this is SSE- KMS which is managed by AWS

In fact all of KMS 3 actions, Encrypt, Decrypt, and GenerateDataKey, are required for CloudTrail to use KMS key. ----- Required KMS key policy elements for trails *Enable CloudTrail log encrypt permissions. See Granting encrypt permissions. *Enable CloudTrail log decrypt permissions. See Granting decrypt permissions. If you are using an existing S3 bucket with an S3 Bucket Key, kms:Decrypt permissions are required to create or update a trail with SSE-KMS encryption enabled. *Enable CloudTrail to describe KMS key properties. See Enable CloudTrail to describe KMS key ----- Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html But again, option D is correct, cause without S3 bucket policy permission to put object that will not work. A question requesting 2 correct answers, and provides 3! Nice!

The CMK key policy does not allow CloudTrail to make GenerateDatakey API calls against the key. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

CloudTrail operations are performed via service linked role, therefore we need to ensure those roles across all accounts have necessary permissions. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html

AWS managed key policy is fixed

Option D is more obvious, but I'm going with option B because of this: https://docs.aws.amazon.com/kms/latest/developerguide/services-cloudtrail.html The question: "the engineer noticed that logs recorded by the new trail were not delivered to the bucket." Link: "Each time CloudTrail puts a log file into your S3 bucket, Amazon S3 sends a GenerateDataKey request to AWS KMS on behalf of CloudTrail."

A. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key: To enable server-side encryption with AWS KMS managed keys (SSE-KMS), the CloudTrail service needs permission to encrypt and decrypt the log files using the specified AWS KMS CMK. If the key policy does not allow CloudTrail to perform these operations, it will result in logs not being delivered to the S3 bucket. D. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail: The S3 bucket policy controls access to the S3 bucket. If the bucket policy does not grant CloudTrail the necessary permissions to perform the PutObject API calls to the specific folder created for the Organizations trail, it will prevent the logs from being delivered to the bucket.

Still confused after going through the comments why not C & D?

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html

CloudTrail needs explicit permission to use the KMS key to encrypt logs on behalf of specific accounts. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html Because you are creating a new trail you need to modify bucket policy to allow cloudtrail write to s3. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

I go for A and B. Option D says "...folder created for the Organizations trail."and the question mention to use the same bucket, so this does not apply. On top of it, Encrypted and Decripted permission is also necessary.

B & D https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html

B & D B - "If you are using an existing S3 bucket with an S3 Bucket Key, CloudTrail must be allowed permission in the key policy to use the AWS KMS actions GenerateDataKey and DescribeKey. If cloudtrail.amazonaws.com is not granted those permissions in the key policy, you cannot create or update a trail." Reference: Note in https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html D - obviously needs S3 bucket policy to allow PutObject call

I think is B,D B-If you chose Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.html D- https://docs.aws.amazon.com/zh_tw/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html#create-kms-key-policy-for-cloudtrail-encrypt

Hi Guy, I am still not clear why the point "However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket." is related to CMK policy ? if a log record not delivered to the S3 bucket, it should be a S3 policy or IAM policy, so I can't see any sense to select B.

B - OK - CMK policy statement: { "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ "arn:aws:cloudtrail:*:111111111111:trail/*", "arn:aws:cloudtrail:*:222222222222:trail/*" ] } } } D - OK - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-set-bucket-policy-for-multiple-accounts.html