Exam AWS Certified SysOps Administrator - Associate topic 1 question 38 discussion

D. Learn more here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html

I would have thought is A, but after reading I found this: "CloudTrail does not deliver logs for requests that fail authentication (in which the provided credentials are not valid). However, it does include logs for requests in which authorization fails (AccessDenied) and requests that are made by anonymous users." https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html

I would have thought is A, but after reading I found this: "CloudTrail does not deliver logs for requests that fail authentication (in which the provided credentials are not valid). However, it does include logs for requests in which authorization fails (AccessDenied) and requests that are made by anonymous users." https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html

D: S3 Access Logging allows you to capture details of requests made to your S3 bucket, including failed attempts. This is critical for tracking authentication failures.By configuring the access logs to be saved to a second S3 bucket, you can separate the logs from the sensitive data in the original bucket, adding an extra layer of security and compliance.S3 Object Lock can be used to prevent object versions from being deleted or overwritten for a specified retention period. By turning on S3 Object Lock and setting the retention period to 90 days, you ensure that the access logs are immutable for the required duration.S3 Object Lock enforces a Write Once, Read Many (WORM) model, which is ideal for compliance and security use cases.

"CloudTrail does not deliver logs for requests that fail authentication (in which the provided credentials are not valid). However, it does include logs for requests in which authorization fails (AccessDenied) and requests that are made by anonymous users." https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html#:~:text=CloudTrail%20does%20not%20deliver%20logs%20for%20requests%20that%20fail%20authentication%20(in%20which%20the%20provided%20credentials%20are%20not%20valid).%20However%2C%20it%20does%20include%20logs%20for%20requests%20in%20which%20authorization%20fails%20(AccessDenied)%20and%20requests%20that%20are%20made%20by%20anonymous%20users.

I think D is correct. Its the only option which prevents the logs from being deleted. Cloud watch log retention will prevent the logs from expiring, but they can still be deleted.

Simple answer is D. S3 authentication failures are not logged by Cloud Trail. See chart in link. https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html Turning on S3object lock, protects against accidental deletion. See link https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

D is the correct answer to keep tracks of access logging for s3 bucket

D is Correct not A

B doesn't make sense with the log file integrity for 90 days bit - you don't configure log file integrity to only apply for a period of time.

Looks like it is B. Server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill. But Cloud Trail is capable of recording theIPs.So IPs recording, CloudTrail log file integrity validation for 90 days

Its simple straightforward question . D it is

Option D is the most appropriate solution because it covers the specific requirements mentioned in the question. By turning on access logging for the S3 bucket, you can capture the IP addresses from authentication failures. You then configure these access logs to be saved in a separate S3 bucket, ensuring data durability and separation from the source bucket. By enabling S3 Object Lock on the second S3 bucket and setting a default retention period of 90 days, you ensure that the logs cannot be deleted or overwritten for the specified duration.

maybe Create an AWS CloudTrail trail. Configure the log files to be saved to a different S3 bucket. Turn on CloudTrail log file integrity validation for 90 days. Notes: D is wrong because S3 buckets with S3 Object Lock can't be used as destination buckets for server access logs. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

NOT A: Can't configure CloudTrail to store logs in CloudWatch Logs. CloudTrail uses S3 bucket. CloudWatch Logs is not applicable. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html NOT B: "Integrity validation" is only designed to detect changes or deletions of CloudTrail logs. It depends on other security measures to block this. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html NOT C: Server access logging only delivers access logs for a source bucket to a target bucket. CloudWatch log group is not applicable. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.htm NOT D: "S3 buckets with S3 Object Lock can't be used as destination buckets for server access logs." https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

By creating a CloudTrail trail, you can log all API calls made to the S3 bucket, including authentication failures. The logs can be saved to a separate S3 bucket to isolate them from the main bucket and provide an additional layer of security. Turning on CloudTrail log file integrity validation ensures that the logs cannot be modified or deleted without detection. The retention period for the logs can be set to 90 days to meet the requirements specified in the question.

This question is really tricky, but after reding the question very carefully, I will definitely go with BBBBBB.