Table of Contents
Question
A company is storing sensitive data in an Amazon S3 bucket. The company must log all activities for objects in the S3 bucket and must keep the logs for 5 years. The company’s security team also must receive an email notification every time there is an attempt to delete data in the S3 bucket. Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)
A. Configure AWS CloudTrail to log S3 data events.
B. Configure S3 server access logging for the S3 bucket.
C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES).
D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
E. Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering.
F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.
Answer
A. Configure AWS CloudTrail to log S3 data events.
D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.
Explanation
The question you asked is about how to log all activities for objects in an S3 bucket and keep the logs for 5 years. The security team also must receive an email notification every time there is an attempt to delete data in the S3 bucket. The combination of steps that will meet these requirements most cost-effectively are A. Configure AWS CloudTrail to log S3 data events, D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic, and F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use CloudTrail to log S3 data events such as GetObject, DeleteObject, and PutObject for your S3 bucket. You can also use CloudTrail to log S3 management events such as CreateBucket, DeleteBucketPolicy, and PutBucketAcl for your S3 bucket. You can configure CloudTrail to deliver the log files to a new or existing S3 bucket.
Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. You can use EventBridge to create rules that match events from your S3 bucket and route them to targets such as AWS Lambda functions, Amazon Kinesis streams, or Amazon SNS topics. You can configure EventBridge to receive object deletion events from your S3 bucket by using an event pattern that matches the DeleteObject API call and the name of your S3 bucket.
Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables you to send messages or notifications to subscribers such as email addresses, mobile devices, HTTP endpoints, or other AWS services. You can use SNS to create a topic that receives messages from EventBridge when an object deletion event occurs in your S3 bucket. You can also subscribe your security team’s email addresses to the topic so that they receive an email notification every time there is an attempt to delete data in the S3 bucket. An
An S3 Lifecycle policy is a set of rules that define actions that Amazon S3 applies to a group of objects. You can use an S3 Lifecycle policy to manage your objects during their lifetime. For example, you can use an S3 Lifecycle policy to transition objects to lower-cost storage classes such as S3 Standard-IA or S3 Glacier after a period of time or delete objects after a period of time. You can configure an S3 Lifecycle policy for the new S3 bucket that stores the CloudTrail logs and specify that the logs should be kept for 5 years before being deleted. The
The other options are not correct because:
B. Configure S3 server access logging for the S3 bucket. This option is not correct because it does not provide detailed API tracking for Amazon S3 bucket-level and object-level operations. Server access logging provides records for requests that are made to a bucket such as requester, bucket name, request time, request action, response status, and error code. However, server access logging does not include information such as event name, source IP address, user identity, or additional request parameters.
C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES). This option is not correct because it does not leverage the benefits of using EventBridge and SNS for event routing and notification delivery. SES is a cloud-based email sending service that helps digital marketers and application developers send marketing, notification, and transactional emails. However, SES is not designed for receiving events from Amazon S3 or sending notifications to multiple subscribers.
E. Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering. This option is not correct because it does not leverage the benefits of using CloudTrail and S3 for logging and storing data events. Timestream is a fast, scalable, fully managed time series database service that makes it easy to store and analyze trillions of time series data points per day such as IoT telemetry data or DevOps metrics. However, Timestream is not designed for logging and storing API calls for Amazon S3 or other AWS services.
In summary, the combination of steps A, D, and F will meet the company’s requirements in the most cost-effective manner.
Reference
- An Overview of AWS S3 Bucket Monitoring | Panther
- Monitoring Amazon S3 – Amazon Simple Storage Service
- Logging and monitoring in Amazon S3 – Amazon Simple Storage Service
- Logging options for Amazon S3 – Amazon Simple Storage Service
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.