ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization runs a multi-tenant SaaS platform on AWS. Regulators require that every administrative API call be preserved for seven years and that you can provide auditors with cryptographic proof the records were never altered. Management wants the least possible ongoing maintenance effort while meeting these mandates. Which design choice BEST satisfies the requirement?
Configure application servers to write JSON audit events locally, then replicate those files to a second S3 bucket each night.
Enable AWS CloudTrail in all regions with log file integrity validation and send the trails to an S3 bucket that has Object Lock set to Compliance mode for seven years.
Stream CloudTrail events into a self-managed Elasticsearch cluster and create weekly encrypted snapshots to S3.
Enable Amazon VPC Flow Logs and archive them directly to Glacier Deep Archive with a seven-year retention lifecycle policy.
Enabling AWS CloudTrail with log file integrity validation provides SHA-256 hashing and signed digest files so you can prove each log is intact and unmodified. Storing those logs in an S3 bucket that has Object Lock set to Compliance mode makes the objects immutable for the full seven-year retention period without additional administrative tasks. The other options either lack cryptographic integrity checking (nightly file replication, snapshots, Glacier archive) or require significant self-management overhead (running an Elasticsearch cluster) and therefore do not meet both the integrity and low-maintenance criteria.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS CloudTrail log file integrity validation?
Open an interactive chat with Bash
What is S3 Object Lock Compliance mode?
Open an interactive chat with Bash
Why does using Elasticsearch or Glacier not meet the requirements?
Open an interactive chat with Bash
What is AWS CloudTrail, and how does it ensure log file integrity?
Open an interactive chat with Bash
What is S3 Object Lock Compliance mode, and how does it help with data retention?
Open an interactive chat with Bash
Why do SHA-256 hashing and signed digest files matter for regulatory compliance?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .