ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An organization runs several critical workloads on AWS. The CISO mandates ability to trace every API call and correlate it to the specific IAM identity that performed it, including cross-account access, to satisfy accountability requirements. Logs must be protected against tampering and retained for at least one year. Which solution BEST meets these requirements with minimal operational overhead?
Create an organization-wide AWS CloudTrail trail that delivers logs to an S3 bucket with Object Lock in compliance mode and enable CloudTrail log file integrity validation.
Use EventBridge to capture CloudWatch API events, stream them to Kinesis Data Firehose, and archive the data in S3.
Enable VPC Flow Logs for all VPCs and store the logs in CloudWatch Logs with a one-year retention policy.
Turn on AWS Config across all accounts and store configuration snapshots in an S3 bucket using default settings.
The most complete way to establish accountability for all AWS API activity is to create an organization-wide AWS CloudTrail trail. CloudTrail records every management-level API call made through the console, CLI, SDKs, or other AWS services and clearly identifies the calling IAM principal, including cross-account usage. Delivering the trail to an S3 bucket protected by Object Lock in compliance mode prevents log alteration or deletion, and CloudTrail's built-in log file integrity validation detects any tampering attempts. VPC Flow Logs record network traffic metadata, not API invocations, so they cannot attribute API calls to identities. AWS Config tracks resource configuration changes but does not capture every API call or guarantee tamper-evident storage. Streaming CloudWatch events to Kinesis provides some API visibility but requires custom development for completeness and integrity protection, adding operational overhead. Therefore, an organization trail with secure S3 storage and integrity validation is the best fit.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS CloudTrail and why is it important for security?
Open an interactive chat with Bash
What is S3 Object Lock in compliance mode, and how does it protect against tampering?
Open an interactive chat with Bash
How does CloudTrail log file integrity validation work?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .