MemberApril 8, 2022 at 9:40 pm
Hi, I was answering a question in the Practice Exam-Time set1 and I was wondering why my answer choice was wrong. It is correct as per AWS document. Looking forward for your guidance on this!
I have mentioned the details below:
A multinational company is using multiple AWS accounts for its entire cloud infrastructure. To centralize the security logs of all accounts, each AWS account must be configured to push its CloudTrail logs to an Amazon S3 bucket hosted in the TD-Central AWS account. All accounts are properly sending out the logs to the bucket except for three accounts.
Which steps should the Security Engineer take to troubleshoot the issue? (Select TWO.)
(view) 1 0 1 00:00:00
1) Ensure that the configured log file prefix is identical to the name of the S3 bucket where the logs should go.
2) Ensure that the S3 bucket policy grants AWS CloudTrail the permission to write log files from the AWS accounts. Verify that the specified AWS Account IDs are correct.
3) Ensure that the S3 bucket of each AWS account that contains the CloudTrail logs has cross-account access to the central S3 bucket in the TD-Central AWS account.
Ensure that each trail is active using the CloudTrail console and verify that the specified destination S3 bucket name is correctly configured.
4) Ensure that the central S3 bucket is properly set in the Global AWS CloudTrail configuration in the master account.
Here, as one of the answer choices, I selected answer choice 1) and it was marked as incorrect. The reason that was given was that :”The option that says: <strong style=”font-family: inherit; font-size: inherit;”>Ensure that the configured log file prefix is identical to the name of the S3 bucket where the logs should go is incorrect because the log file prefix is just optional and it doesn’t have to be exactly the same as the S3 bucket name.”
However, In the AWS documentation, the following is clearly written about log file prefix as being on of the steps in configuring cloudtrail in additional accounts.
“In the <b style=”font-family: inherit; font-size: inherit;”>Log file prefix field, enter the same prefix you entered for storing log files when you turned on CloudTrail using account 111111111111 credentials. If you choose to use a prefix that is different from the one you entered when you turned on CloudTrail in the first account, you must edit the bucket policy on your destination bucket to allow CloudTrail to write log files to your bucket using this new prefix.”
Hope this helps!
AdministratorApril 9, 2022 at 4:04 am
Thanks for your feedback.
The steps provided by AWS assume that a log file prefix was used in the central account. If that’s the case, that prefix must be uniform across all accounts where you want CloudTrail turned on. The log file prefix is simply a part of the pathname convention of an S3 ARN. It’s totally optional. Here’s a comprehensive guide for enabling central logging in CloudTrail. You’ll notice that the author skipped the adding of a prefix.
Now let’s go over to the option that says “Ensure that the configured log file prefix is identical to the name of the S3 bucket where the logs should go.” While checking the log file prefix is a good checkbox to tick when troubleshooting, the statement is false because a log file prefix need not be named after the S3 bucket name. The phrase should be something like “ensure the log file prefix is identical to the prefix used in the central account” in order for it to be considered as valid answer.
I hope this answers your question.
Let me know if you have additional questions.
Carlo @ Tutorials Dojo
Log in to reply.