A company requires that all AWS API calls are logged. They also need to mathematically prove that the log files have not been tampered with after they were delivered to Amazon S3. How can this be achieved?

Answer options:

Enable S3 Object Lock in compliance mode.

Enable CloudTrail log file integrity validation.

Encrypt the CloudTrail logs using AWS KMS.

Use Amazon Macie to monitor the S3 bucket for changes.

How to approach this question

Look for the specific CloudTrail feature designed for mathematical proof of log integrity.

Full Answer

B.Enable CloudTrail log file integrity validation.✓ Correct

Enable CloudTrail log file integrity validation.

CloudTrail log file integrity validation uses industry-standard algorithms (SHA-256 and RSA) to create a hash for every log file delivered, allowing you to assert that no log files were modified or deleted.

Common mistakes

Choosing S3 Object Lock, which is for immutability but doesn't provide the mathematical proof feature CloudTrail offers natively.

Question 08 All questions Question 10

Practice the full AWS SAA-C03 Practice Exam 5

65 questions · hints · full answers · grading

More questions from this exam

Q01A company needs to grant an external auditor read-only access to specific AWS resources. The audi...Easy Q02An application running on EC2 instances needs to access objects in an S3 bucket. The security tea...Medium Q03A company is designing a VPC for a multi-tier web application. They need to block specific malici...Medium Q04A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Hard Q05A company hosts a web application on an Application Load Balancer (ALB). They are experiencing SQ...Medium

View all 65 questions →