AWS Certified SysOps Administrator SOA-C01 – Question729

A SysOps Administrator must secure AWS CloudTrail logs. The Security team is concerned that an employee may modify or attempt to delete CloudTrail log files from its Amazon S3 bucket.
Which practices will ensure that the log files are available and unaltered? (Choose two.)

A.
Enable the CloudTrail log file integrity check in AWS Config Rules.
B. Use CloudWatch Events to scan log files hourly.
C. Enable CloudTrail log file integrity validation.
D. Turn on Amazon S3 MFA Delete for the CloudTrail bucket.
E. Implement a DENY ALL bucket policy on the CloudTrail bucket.

Correct Answer: CD

Explanation:

Explanation: The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time. CloudTrail log file integrity validation uses industry standard algorithms: SHA-256 for hashing and SHA256 with RSA for digital signing. This makes it computationally unfeasible to modify, delete or forge CloudTrail log files without detection. T Configuring multi-factor authentication (MFA) ensures that any attempt to change the versioning state of your bucket or permanently delete an object version requires additional authentication. This helps prevent any operation that could compromise the integrity of your log files, even if a user acquires the password of an IAM user that has permissions to permanently delete Amazon S3 objects. Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-pra…