SCS-C03 · Question #150
SCS-C03 Question #150: Real Exam Question with Answer & Explanation
The correct answer is A: In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in. AWS CloudTrail organization trails are specifically designed to provide centralized, organization- wide logging with minimal operational effort. According to the AWS Certified Security - Specialty Official Study Guide, an organization trail records all management events for all m
Question
A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account. All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select TWO.)
Options
- AIn the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in
- BIn the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in
- CIn the dedicated security account, create an Amazon S3 bucket with an S3 Lifecycle configuration
- DCreate an AWS CloudTrail organization trail. Configure logs to be delivered to the Amazon S3
- ETurn on AWS CloudTrail in each account and forward logs to the dedicated security account by
Explanation
AWS CloudTrail organization trails are specifically designed to provide centralized, organization- wide logging with minimal operational effort. According to the AWS Certified Security - Specialty Official Study Guide, an organization trail records all management events for all member accounts and delivers them to a single Amazon S3 bucket. To ensure that logs cannot be altered or deleted, Amazon S3 Object Lock in compliance mode must be used. Compliance mode enforces write-once-read-many (WORM) protection, meaning no user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years. The S3 bucket must reside in the dedicated security account to provide isolation and strong security boundaries. Granting write permissions to the organization's management account (Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.
Community Discussion
No community discussion yet for this question.