Q84 — AWS SCS-C02 Ch.1
Question 84 of 100 | ← Chapter 1
A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs. Which combination of steps should the security team take? (Choose three.)
- A. Congure server-side encryption with AWS KMS managed encryption keys (SSE-KMS). ✓
- B. Compress log les with secure gzip.
- C. Create an Amazon EventBridge rule to notify the security team of any modications on CloudTrail log les.
- D. Implement least privilege access to the S3 bucket by conguring a bucket policy. ✓
- E. Congure CloudTrail log le integrity validation. ✓
- F. Congure Access Analyzer for S3.
Correct Answer: A. Congure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)., D. Implement least privilege access to the S3 bucket by conguring a bucket policy., E. Congure CloudTrail log le integrity validation.
Explanation
AWS文档指出,保护CloudTrail日志需启用日志文件完整性验证(E)以检测篡改,利用SSE-KMS(A)确保静态数据加密,并应用最小权限的S3存储桶策略(D)限制访问。选项B的压缩不影响安全,C的监控属被动响应,F分析访问但不直接阻止。最佳实践结合加密、权限控制及完整性检查构成核心防护措施。[参考AWS Security Best Practices及CloudTrail User Guide]