ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 493 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 493
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company wants to migrate its accounting system from an on-premises data center to the AWS Cloud in a single AWS Region. Data security and an immutable audit log are the top priorities. The company must monitor all AWS activities for compliance auditing. The company has enabled AWS CloudTrail but wants to make sure it meets these requirements.
Which actions should a solutions architect take to protect and secure CloudTrail? (Choose two.)

  • A. Enable CloudTrail log file validation.
  • B. Install the CloudTrail Processing Library.
  • C. Enable logging of Insights events in CloudTrail.
  • D. Enable custom logging from the on-premises resources.
  • E. Create an AWS Config rule to monitor whether CloudTrail is configured to use server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️
by patriktre at Aug. 30, 2021, 4:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
patriktre
Highly Voted 3 years, 7 months ago
A dn E should be correct. Tee question is about securing cloud trail: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/data-protection.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html and corresponding AWS Config rule: https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html
upvoted 25 times
Alfio
3 years, 6 months ago
Log file integrity validation You can validate the integrity of AWS CloudTrail log files stored in your Amazon S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your Amazon S3 bucket. You can use log file integrity validation in your IT security and auditing processes. Log file encryption By default, AWS CloudTrail encrypts all log files delivered to your specified Amazon S3 bucket using Amazon S3 server-side encryption (SSE). Optionally, add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (AWS KMS) key. Amazon S3 automatically decrypts your log files if you have decrypt permissions. For more information, see encrypting log files using your KMS key
upvoted 14 times
...
...
amshivraj
Highly Voted 3 years, 6 months ago
got this in exam, marked A and E
upvoted 9 times
...
BECAUSE
Most Recent 1 year, 10 months ago
Selected Answer: AE
A and E are the answers
upvoted 1 times
...
naveenagurjara
2 years, 10 months ago
Selected Answer: AE
Cloudtrail Insights do not protect Cloudtrail logs themselves. It protects activities insdie of those logs.
upvoted 1 times
...
kitkwok
3 years, 1 month ago
Selected Answer: AC
The organization must conduct compliance audits on "all" AWS operations. So, AC , we have encryption by default, E is overkill
upvoted 1 times
ahaz
2 years, 8 months ago
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html "AWS CloudTrail Insights helps AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events" Insights events has nothing to do with the questions' requirements. The right answer should be A & E.
upvoted 1 times
...
Jobair
2 years, 5 months ago
Data security and an immutable audit log are the top priorities
upvoted 1 times
...
...
LETSGETIT
3 years, 3 months ago
A, E https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
upvoted 1 times
...
FF11
3 years, 3 months ago
Selected Answer: AE
A&E are correct
upvoted 2 times
...
rav009
3 years, 4 months ago
A,C E is not necessary since "By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). " https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
upvoted 1 times
...
pikaflash
3 years, 4 months ago
Selected Answer: AE
AE are correct
upvoted 1 times
...
prex
3 years, 4 months ago
Selected Answer: AE
A dn E should be correct. Tee question is about securing cloud trail: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/data-protection.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html and corresponding AWS Config rule: https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html
upvoted 1 times
...
bill_smoke
3 years, 4 months ago
A + E - "AWS CloudTrail Insights helps AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events." Source: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html There is no mention of API calls, so C is redundant in this scenario.
upvoted 1 times
...
bill_smoke
3 years, 4 months ago
A + E - As there is no mention of API/API writes, C is redundant in this scenario: "AWS CloudTrail Insights helps AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events."
upvoted 1 times
...
gondohwe
3 years, 4 months ago
Selected Answer: AE
log file intergrity and SSE-KMS ensures your cloudtrail is safe simple as that
upvoted 2 times
...
gondohwe
3 years, 4 months ago
after selecting A u need to consider C bcoz logging of insights events in cloudtrail can continuously monitor API activity to determine usage patterns that are not normal to be logged and delivered to destination S3 bucket...choosing E isnt appropiate since there is guaranteed encryption by default from SSE-KMS
upvoted 1 times
...
ecastilla
3 years, 5 months ago
A for sure. B and D are out. The question is C or E: CloudTrail logs are encrypted by default, so I go with C.
upvoted 4 times
...
Jamati
3 years, 6 months ago
A + E Validated log files are especially valuable in security and forensic investigations, therefore it's essential to enable CloudTrail log file integrity. The SHA-256 with RSA for digital signing make it computationally unfeasible to modify, delete or forge validated CloudTrail log files without detection By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago