Home › Forums › AWS › AWS Certified Security – Specialty › Security Speciality Timed mode Diagnostic test – 45
-
Security Speciality Timed mode Diagnostic test – 45
Carlo-TutorialsDojo updated 3 years, 5 months ago 2 Members · 2 Posts -
Hi Team,
Regarding Question 45 in Timed mode Diagnostic Test
An organization has several AWS accounts and it wants to use CloudTrail to log each API call in AWS. For auditing purposes, the log files from all the AWS accounts must be stored in a single S3 bucket, which resides in a new AWS account that is specifically built for centralized services. A Security Engineer has been instructed to set up a configuration that will detect any modifications to the logs.
Which combination of steps should the Engineer implement to satisfy the above requirements? (Select THREE.)
A. Add a bucket policy to the new centralized S3 bucket to grant CloudTrail permission to write log files from all the accounts specified. Verify that the bucket permits the CloudTrail service to use the s3:UploadPart action.
B . Configure the bucket policy to the new centralized S3 bucket to grant CloudTrail permission to write log files from all the AWS accounts specified. Ensure that the bucket permits the CloudTrail service to use the s3:PutObject action.
C. Use AWS KMS to encrypt the CloudTrail logs.
D. Create a new Amazon S3 bucket in an existing account to centrally store the CloudTrail logs.
E. Enable the Log File Validation feature on all trails.
F. Launch a new AWS account and create a new Amazon S3 bucket to centrally store the CloudTrail logs.
You have mentioned that option F is correct which says Launch a new AWS account , BUt when you look at the question For auditing purposes, the log files from all the AWS accounts must be stored in a single S3 bucket, which resides in a new AWS account that is specifically built for centralized services , Does that means the account already exist ? Because you have already mentioned that new account that is specifically built for Centralized services.
Based on your wording we assume that account already exists because you said it is Built .
Can you please update this question or please clarify why option F is Correct here ?
-
Hello Vinod,
Thanks for your feedback — much appreciated.
We will update the wording from “which resides” to “which will reside in a new AWS account…” to avoid confusion.
Regards,
Carlo @ Tutorials Dojo
Log in to reply.