Q6 — AWS DOP-C02 Ch.3
Question 6 of 100 | ← Chapter 3
A company hosts applications in a single AWS account. The applications use an Amazon S3 bucket to store objects containing sensitive information. The company needs to capture object-level S3 API calls, including calls that are denied due to invalid credentials. Which solution meets these requirements?
- A. Create an AWS CloudTrail trail in the account. Enable S3 data event logging. Configure the trail to log to Amazon CloudWatch. ✓
- B. Create a new S3 bucket. Configure access logging on the application’s S3 bucket. Grant permissions to deliver logs to the new S3 bucket.
- C. Configure Amazon GuardDuty and enable S3 protection for the account. Create an Amazon EventBridge rule matching discoveries associated with the S3 bucket. Configure the rule to use an Amazon Simple Queue Service (Amazon SQS) queue as the target.
- D. Create an AWS CloudTrail trail and a new S3 bucket in the account. Configure the trail to log to the new S3 bucket.
Correct Answer: A. Create an AWS CloudTrail trail in the account. Enable S3 data event logging. Configure the trail to log to Amazon CloudWatch.
Explanation
AWS CloudTrail monitors and records API activity across an AWS account, including object-level S3 operations. The requirement is to capture all S3 API calls—including denied requests due to invalid credentials. CloudTrail’s data events feature is specifically designed to log such operations, covering object-level read/write events and failed authentication attempts. Option A satisfies the requirement by creating a trail and enabling S3 data event logging. S3 access logs (Option B) cannot record authentication failures. Amazon GuardDuty (Option C) focuses on threat detection—not detailed API logging. Option D does not explicitly enable data events and therefore cannot guarantee object-level call logging. Per AWS documentation, CloudTrail data events are the recommended method for recording such operations.