AWS Certified Security – Specialty SCS-C01 – Question168

A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a Security Engineer resolve these issues?

A.
Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.

Correct Answer: A