Q56 — AWS SCS-C02 Ch.1
Question 56 of 100 | ← Chapter 1
A company needs to log object-level activity in its Amazon S3 buckets.The company also needs to validate the integrity of the log file by using a digital signature. Which solution will meetthese requirements?
- A. Create an AWS CloudTrail trail with log fle validation enabled. Enable data events.Specify Amazon S3 as the data event type. ✓
- B. Create a new S3 bucket for S3 server access logs.Confgure the existing S3 buckets to send their S3 server accesslogs to the new S3 bucket.
- C. Create an Amazon CloudWatch Logs log group.Configure the existing S3 buckets to send their S3 server access logs to the log group.
- D. Create a new S3 bucket for S3 server access logs with log file validation enabled.Enable data events. Specify Amazon S3 as the data event type.
Correct Answer: A. Create an AWS CloudTrail trail with log fle validation enabled. Enable data events.Specify Amazon S3 as the data event type.
Explanation
AWS CloudTrail 用于记录 AWS 账户中的 API 活动和事件,包括 Amazon S3 对象级别的操作。启用日志文件验证功能后,CloudTrail 会为每个日志文件生成数字签名,通过 SHA-256 哈希算法和 HMAC 签名确保日志文件的完整性。指定 S3 作为数据事件类型允许 CloudTrail 捕获 S3 存储桶内的对象级操作(如上传、下载)。其他选项如 S3 服务器访问日志或 CloudWatch Logs 不支持原生数字签名验证,仅能记录请求信息但无法提供完整性校验。