An enterprise has a strict regulatory requirement that all API calls made within their AWS environment must be logged, and these logs must be stored in a centralized, highly secure account. The logs must be cryptographically verifiable to prove they have not been tampered with. How should this be configured?

Enable AWS Config in all accounts and send the configuration history to Amazon S3.

Create an AWS CloudTrail organization trail, send logs to an S3 bucket in a dedicated Log Archive account, and enable CloudTrail log file validation.

Use Amazon CloudWatch Logs agent on all EC2 instances to send logs to a central account.

Enable VPC Flow Logs in all accounts and store them in Amazon S3 with Object Lock.