Exam AWS-SysOps topic 1 question 657 discussion

C seems to be correct as KMS event goes to cloud trail

C https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html

Answer is C. https://docs.aws.amazon.com/kms/latest/developerguide/kms-events.html "Whenever AWS KMS rotates key material, it sends a KMS CMK Rotation event to EventBridge. AWS KMS generates this event on a best-effort basis." "When you schedule deletion of a KMS key, AWS KMS enforces a waiting period before deleting the KMS key. After the waiting period ends, AWS KMS deletes the KMS key and sends a KMS CMK Deletion event to EventBridge. AWS KMS guarantees this EventBridge event." Because there is no guarantee for the CMK Rotation event in EventBridge, it is better to use CloudTrail instead of EventBridge.

Here's how this approach works: Enable AWS CloudTrail in each production account and configure it to capture KMS events. This ensures that all KMS-related events, including CMK deletion or rotation, are logged. Configure CloudTrail to send the KMS logs to an Amazon S3 bucket that is managed by the Security team. This allows centralized access and management of the logs. By implementing this approach, the Security team can collect the KMS event logs from all production accounts and monitor them for any relevant activities related to CMK deletion or rotation.

C is the answer

B is correct. All events are sent to cloudwatch using default event bus, with event bridge you can create a custom bus and a rule that selects the events you’re interested in, use your event is as the destination.

https://docs.aws.amazon.com/kms/latest/developerguide/understanding-kms-entries.html i believe it could be C CloudTrail supports the above KMS events

I recommend B. C can also achieve its purpose, but it also includes unnecessary logs other than rotation and deletion. B can only get the events it needs. https://docs.aws.amazon.com/ja_jp/kms/latest/developerguide/monitoring-cloudwatch.html

C. Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.

I'll go with C

c https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html

C. Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team.

its C.. all KMS events are covered by cloudtrail - https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html

B, take note of "KMS CMK Rotation" and "KMS CMK Deletion" which are not covered by CloudTrail. CloudWatch Event ==> KMS: state change Event Pattern Preview : KMS: state change Event ==> { "source": [ "aws.kms" ], "detail-type": [ "KMS Imported Key Material Expiration", "KMS CMK Rotation", "KMS CMK Deletion" ] }

should be C For an ongoing record of events in your AWS account, including events for AWS KMS, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see:

I belive it's B https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html

C - Because it needs to be shared with the security teams ACCOUNT. Which can be done via a bucket acl