AWS Certified Data Engineer Associate DEA-C01 Practice Question

CloudTrail management events are logged automatically, but object-level S3 actions such as DeleteObject are data events that are not captured unless explicitly enabled. Updating the existing organization trail with an advanced event selector that logs only Write data events (which includes DeleteObject) for the specific prod-data-lake bucket records the required API calls. Because data-event billing is $0.10 per 100,000 events, scoping the selector to a single bucket avoids charges from other buckets. S3 server access logging produces access logs outside of CloudTrail and does not provide the same level of IAM identity detail needed for audits. Creating a new trail for every bucket would meet the requirement but would incur unnecessary data-event costs. CloudTrail Insights analyzes anomalies in management-event patterns and does not capture individual DeleteObject operations. Therefore, refining the current trail with a bucket-specific advanced event selector is the most economical and compliant solution.