DOP-C02 · Question #379
DOP-C02 Question #379: Real Exam Question with Answer & Explanation
The correct answer is A: Create an AWS CloudTrail trail in the account. Enable S3 data events logging. Configure the trail. AWS CloudTrail provides visibility into API activity in an AWS account, including S3 object-level API operations. To capture object-level API calls in Amazon S3, CloudTrail S3 data events logging must be enabled. This logs actions such as PutObject, GetObject, and DeleteObject. A
Question
A company hosts an application in its AWS account. The application uses an Amazon S3 bucket to store objects that contain sensitive information. The company needs to capture object-level S3 API calls, including calls that are rejected because the calls were made by using credentials that are not valid. Which solution will meet these requirements?
Options
- ACreate an AWS CloudTrail trail in the account. Enable S3 data events logging. Configure the trail
- BCreate a new S3 bucket. Configure access logging on the application's S3 bucket. Deliver the
- CConfigure Amazon GuardDuty with S3 protection enabled for the account. Create an Amazon
- DCreate an AWS CloudTrail trail and a new S3 bucket in the account. Configure the trail to log to
Explanation
AWS CloudTrail provides visibility into API activity in an AWS account, including S3 object-level API operations. To capture object-level API calls in Amazon S3, CloudTrail S3 data events logging must be enabled. This logs actions such as PutObject, GetObject, and DeleteObject. Additionally, CloudTrail can capture events where API calls are rejected due to invalid credentials, making it suitable for tracking access attempts. Logging to Amazon CloudWatch allows real-time monitoring, alerts, and operational insights, which enhances security by detecting unauthorized access attempts.
Topics
Community Discussion
No community discussion yet for this question.