exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 77 discussion

A company runs an application that hosts critical data for several clients. The company uses AWS CloudTrail to track user activities on various AWS resources. To meet new security requirements, the company needs to protect the CloudTrail log files from being modified, deleted, or forged.
Which solution will meet these requirement?

  • A. Enable CloudTrail log file integrity validation.
  • B. Use Amazon S3 MFA Delete on the S3 bucket where the CloudTrail log files are stored.
  • C. Use Amazon S3 Versioning to keep all versions of the CloudTrail log files.
  • D. Use AWS Key Management Service (AWS KMS) security keys to secure the CloudTrail log files.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
AminTriton
4 days, 5 hours ago
Selected Answer: A
If you have answered anything but A, remember that CloudTrail log file integrity validation is EXACTLY made for this purpose and nothing else.
upvoted 1 times
...
wakburn
3 months, 1 week ago
Selected Answer: A
**A. Enable CloudTrail log file integrity validation**. Enabling CloudTrail log file integrity validation ensures that the log files are protected using industry-standard algorithms (SHA-256 for hashing and SHA-256 with RSA for digital signing). This makes it computationally infeasible to modify, delete, or forge the log files without detection[1](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html)[2](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html).
upvoted 3 times
...
jagdishmav
3 months, 3 weeks ago
Selected Answer: A
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html#cloudtrail-log-file-validation-intro-use-cases
upvoted 1 times
...
numark
3 months, 3 weeks ago
Answer is A and ChatGPT agrees: A. Enable CloudTrail log file integrity validation (Correct) CloudTrail log file integrity validation uses SHA-256 hashing and digital signatures to ensure that log files have not been tampered with or altered.This provides cryptographic proof of the integrity of the log files.It directly addresses the requirement to ensure that logs are not forged or modified.This is the most relevant feature provided by AWS CloudTrail for log protection. B. Use Amazon S3 MFA Delete on the S3 bucket where the CloudTrail log files are stored (Partially Correct)MFA Delete prevents accidental or unauthorized deletions of S3 objects, but it does not protect against forgery or tampering of log contents.While useful, this alone does not meet the full requirement of securing logs against modification or forgery.
upvoted 1 times
...
MintTeaClarity
4 months, 1 week ago
Selected Answer: B
I think it's B.
upvoted 1 times
...
Aamee
6 months, 1 week ago
Selected Answer: B
I'd go with B here as it specifically asks to protect the CT files from being modified, deleted or forged.
upvoted 2 times
...
rcptryk
9 months, 2 weeks ago
Selected Answer: A
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html#:~:text=To%20determine%20whether,CloudTrail%20delivered%20them.
upvoted 1 times
...
stoy123
1 year ago
no single option among the provided choices completely fulfills all three requirements
upvoted 2 times
...
Invr11
1 year, 1 month ago
Selected Answer: B
"Enable MFA delete on the Amazon S3 bucket where you store log files When you configure multi-factor authentication (MFA), attempts to change the versioning state of bucket, or delete an object version in a bucket, require additional authentication. This way, even if a user acquires the password of an IAM user with permissions to permanently delete Amazon S3 objects, you can still prevent operations that could compromise your log files." https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
upvoted 4 times
...
dante_JPMC
1 year, 1 month ago
Selected Answer: A
There's no question at all it's A.
upvoted 4 times
kret
11 months, 3 weeks ago
There's not question A would not PROTECT from those action. It will give an option to detect those actions.
upvoted 1 times
...
...
Rabbit117
1 year, 2 months ago
Selected Answer: B
I think B is correct. CloudTrail Log integrity does not prevent the file from being deleted. It will only detect if the file was deleted, to prevent deletion you should use MFA delete, which requires versioning to be enabled. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
upvoted 4 times
...
ogogundare
1 year, 2 months ago
Selected Answer: B
B is the correct answer. The key word here is to prevent the logs from being deleted. Answer would be incorrect as it does not mention about tracking who deleted the file.
upvoted 3 times
...
tamng
1 year, 2 months ago
A is correct
upvoted 2 times
...
Saibal9
1 year, 2 months ago
Answer b is correct. We not only don't want the files to be tampered with, no one ought to be able to delete it either. So, the only option that looks correct is option b.
upvoted 1 times
tamng
1 year, 2 months ago
you wrong, A is correct not B
upvoted 1 times
...
...
konieczny69
1 year, 3 months ago
Selected Answer: B
real answer is WORM, aka object locks: https://aws.amazon.com/blogs/storage/protecting-data-with-amazon-s3-object-lock/ - but its not in the answers so we need to pick from what we have A is incorrect - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html - integrity feature doe not prevent anyone from deleting the file D is nonsence so its either B or C since MFA delete inherently requires versioning, I'd go for B
upvoted 3 times
konieczny69
1 year, 3 months ago
ChatGTP suggested A in the first place. I replied with a piece of documentation about log file validation it switched answer to B
upvoted 3 times
...
...
Mangesh_XI_mumbai
1 year, 3 months ago
A is the right answer, how C, there is no mentioning of s3, it is mentioned "on various resource". i oppose C
upvoted 1 times
...
Hatem08
1 year, 3 months ago
Selected Answer: C
Def. C is the correct as versioning on s3 buckets keeps the objects safe from deletion, while A won't prevent the deletion action itself it will just show it...
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago