Exam AWS Certified Security - Specialty topic 1 question 100 discussion

ACD is my answer. A & C are correct, things we need to setup at the destination bucket (create new bucket in centralized account and configure bucket policy for that). B is incorrect. (use existing bucket but apply policy to new bucket...) F is incorrect. (not required in question). E is incorrect, don't need to configure CloudTrail in centralized account. This account is specifically built for centralized services. Company only wants to log API calls in 5 accounts only, not this specialized account. And to stream logs from 5 account, we don't need to turn on or configure CloudTrail in centralized account, we need to configure CloudTrail trails in member accounts instead. The only thing we need from centralized account is S3 bucket. D is correct. prefix setting will help to put each trail log into separated folder inside the centralized bucket. Because the question requires top-level must be prefix then we need to set prefix in member trail.

ACE is correct Answer. If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about AWS Organizations, see Organizations Terminology and Concepts. Note Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.

ACE. 1. set S3 bucket in new account centralized account as requested. 2. configure CloudTrail trail in the centralize account, setting member accounts to log to a centralized S3 bucket. 3. ensure the bucket policy allow CloudTrail to put objects and list bucket. Prefix is handled by CloudTrail.

A. Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs and enable Log File Validation on all trails. This ensures that log files are stored securely and any modifications to the logs are detected. D. Use unique log file prefixes for trails in each AWS account. By specifying unique top-level prefixes for each trail, you can organize and differentiate the log files from different accounts within the centralized S3 bucket. E. Configure CloudTrail in the centralized account to log all accounts to the new centralized S3 bucket. This allows you to consolidate the CloudTrail logs from all five AWS accounts into the central S3 bucket, providing a unified view and centralized storage for the logs.

The answer is ACD. Log file validation is a business requirement which gets configured from the centralized storage account. Using unique log file prefixes for each trail in AWS CloudTrail is important because it helps you to easily identify which AWS account and region the log files belong to. This is because the log file names include the AWS account ID, region name, and unique string.

D is not mandatory because cloud trail give in automatic a unique prefix. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

"enable detection of any modification to the logs" => enable ג€Log File Validationג€ on all trail https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

per ChatGPT: Option D suggests using unique log file prefixes for trails in each AWS account, which can help to keep the logs organized and easier to manage, but it's not strictly necessary for the initial setup of centralized logging. Option E, is a critical step and should be included as one of the three steps in the answer. So the answer could be B, C, and E or B, D, and E depending on which option is chosen for the second step.

ACD A. supports log file validation C. supports required permissions D. unique prefix requirement

I checked our own centralized Cloudtrail, and there is no mention of Organisational Trail. I believe it is ACD. F is good to have but not requested

ACD is my answer.

D is optional E is mandatory

Annoying question. ACD looks right but unique prefixes are a default as uses account number. ACE looks kind of right as you do need to enable CT in the central account but you do not actually orchestrate the logging from other accounts from the central account. The other accounts just point to the central accounts CT bucket.

ACD is perfect for me. B is wrong, a special account is created for centralized log storage so so the bucket has to be in that account. E is wrong cloudtrail has to be enabled in every account not only in the central one. F is wrong the question is about integrity not confidentiality so validation not encryption.

A. Create a new S3 bucket in a separate AWS account for centralized storage of CloudTrail logs, and enable ג€Log File Validationג€ on all trails. C. Apply a bucket policy to the new centralized S3 bucket that permits the CloudTrail service to use the "s3 PutObject" action and the "s3 GelBucketACL" action, and specify the appropriate resource ARNs for the CloudTrail trails. D. Use unique log file prefixes for trails in each AWS account.

It got to ACE D is not a mandatory requirement as per below link. https://aws.amazon.com/blogs/security/sharing-aws-cloudtrail-log-files-between-accounts/

A, C and D