Q6 — AWS DOP-C02 Ch.3

Question 6 of 100 | ← Chapter 3

A company hosts applications in a single AWS account. The applications use an Amazon S3 bucket to store objects containing sensitive information. The company needs to capture object-level S3 API calls, including calls that are denied due to invalid credentials. Which solution meets these requirements?

Correct Answer: A. Create an AWS CloudTrail trail in the account. Enable S3 data event logging. Configure the trail to log to Amazon CloudWatch.

Explanation

AWS CloudTrail monitors and records API activity across an AWS account, including object-level S3 operations. The requirement is to capture all S3 API calls—including denied requests due to invalid credentials. CloudTrail’s data events feature is specifically designed to log such operations, covering object-level read/write events and failed authentication attempts. Option A satisfies the requirement by creating a trail and enabling S3 data event logging. S3 access logs (Option B) cannot record authentication failures. Amazon GuardDuty (Option C) focuses on threat detection—not detailed API logging. Option D does not explicitly enable data events and therefore cannot guarantee object-level call logging. Per AWS documentation, CloudTrail data events are the recommended method for recording such operations.