AWS Certified Advanced Networking – Specialty ANS-C00 – Question343

To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files

A.
SSE-S3
B. SCE-KMS
C. SCE-S3
D. SSE-KMS

Correct Answer: D

Explanation:

Explanation:
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files.
Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html