ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 870 discussion

Exam question from Amazon's AWS-SysOps
Question #: 870
Topic #: 1
[All AWS-SysOps Questions]

A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through
AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified.
How can a SysOps administrator achieve this is with the LEAST amount of operational overhead?

  • A. Store AWS CloudTrail logs in Amazon S3 in each account. Create a new account to store compliance data and replicate the objects into the newly created account.
  • B. Store AWS CloudTrail logs in Amazon S3 in each account. Create an IAM user with read-only access to the CloudTrail logs.
  • C. From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.
  • D. Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by binhdt2611 at May 5, 2021, 9:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
binhdt2611
Highly Voted 2 years, 6 months ago
Answer C When you create an organization trail, a trail with the name that you give it will be created in every AWS account that belongs to your organization. Users with CloudTrail permissions in member accounts will be able to see this trail when they log into the AWS CloudTrail console from their AWS accounts, or when they run AWS CLI commands such as describe-trail. However, users in member accounts will not have sufficient permissions to delete the organization trail, turn logging on or off, change what types of events are logged, or otherwise alter the organization trail in any way. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
upvoted 5 times
TroyMcLure
2 years, 6 months ago
Thanks for the reference
upvoted 1 times
...
...
albert_kuo
Most Recent 9 months, 1 week ago
Selected Answer: C
By setting up an organization trail, you can aggregate and centralize the CloudTrail logs from all the member accounts into a single S3 bucket owned by the master account. This ensures that the security team has secure access to the logs without needing to access individual accounts separately. Additionally, using IAM roles, you can enforce strict access controls to prevent modification of the logs. The IAM roles can be associated with specific users or groups who need to view the logs but don't have the permission to modify them, providing the necessary separation of responsibilities.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago