AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
In an AWS Organizations environment, you need to record all management events from every member account and store them centrally in a security account. The security team insists that the logs be encrypted with a customer-managed KMS key that lives in the security account, and that no member account administrator can disable or delete the trail. Which approach satisfies these requirements with the least operational overhead?
Create an organization trail from the management (or delegated administrator) account that targets an S3 bucket in the security account, encrypt the bucket with a customer-managed KMS key in that account, and enable log file validation.
Send management events to CloudWatch Logs in each account and use cross-account subscription filters to push the logs to the security account; encrypt the logs with a customer-managed KMS key.
Create identical multi-region trails in every member account that write directly to the security account's S3 bucket using SSE-S3 encryption, and use AWS Config rules to monitor whether a trail is disabled.
Enable CloudTrail Lake in each account, export event data to an encrypted S3 bucket in the security account, and apply service control policies to block trail deletion.
An organization trail created from either the management account or a delegated administrator logs events for every account in the organization, delivers them to a single S3 bucket, and can be encrypted with a customer-managed KMS key in another account. Because the trail is owned by the organization, member-account administrators cannot modify, stop, or delete it. Enabling log file validation further ensures the log files have not been tampered with. Creating individual trails, CloudTrail Lake exports, or CloudWatch Logs subscriptions in each account would meet parts of the requirement but introduce higher operational burden and leave trail control in the hands of member accounts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an organization trail in AWS Organizations?
Open an interactive chat with Bash
How does AWS CloudTrail ensure log file validation?
Open an interactive chat with Bash
What is a customer-managed KMS key and why is it useful in this setup?
Open an interactive chat with Bash
What is an organization trail in AWS?
Open an interactive chat with Bash
What is a customer-managed KMS key and how is it used in encryption?
Open an interactive chat with Bash
What is log file validation in AWS CloudTrail and why is it important?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Monitoring, Logging, Analysis, Remediation, and Performance Optimization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .