AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A large enterprise uses AWS Organizations to manage its multi-account environment. A new compliance mandate requires that all management and data events for all AWS Regions are centrally logged in a tamper-evident manner. The logs must be consolidated into a dedicated S3 bucket within a central logging account and encrypted using a customer-managed AWS KMS key. A solutions architect needs to design the most secure and operationally efficient solution. Which approach meets these requirements?
From the organization's management account, create an organization trail. Configure the trail to be multi-region, enable log file validation, and set the destination to the S3 bucket in the logging account using the specified customer-managed KMS key. Apply an S3 bucket policy that grants write permissions only to the CloudTrail service principal for the organization and denies log file deletion from any principal.
Deploy an AWS CloudFormation StackSet from the management account to create a CloudTrail trail in each member account. Configure each trail to send logs to the central S3 bucket using the specified KMS key. Use AWS Config to continuously audit that all accounts have the correct trail configuration.
In the management account, create a multi-region CloudTrail trail that sends logs to an Amazon Kinesis Data Firehose stream. Configure the Firehose stream to deliver the logs to the central S3 bucket and use a Lambda function to perform the encryption with the customer-managed KMS key before storage.
From the organization's management account, create an organization trail to deliver logs to the central S3 bucket. Encrypt the logs using the default server-side encryption (SSE-S3) and enable S3 Object Lock in Compliance mode on the bucket to ensure log files cannot be deleted.