Skip to Content

Amazon AWS Certified Solutions Architect – Professional SAP-C02 Exam Question & Answer: Steps to keep logs with notification

Question

A company is storing sensitive data in an Amazon S3 bucket. The company must log all activities for objects in the S3 bucket and must keep the logs for 5 years. The company’s security team also must receive an email notification every time there is an attempt to delete data in the S3 bucket.

Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)

A. Configure AWS CloudTrail to log S3 data events.
B. Configure S3 server access logging for the S3 bucket.
C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES).
D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
E. Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering.
F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

Answer

A. Configure AWS CloudTrail to log S3 data events.
D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

Explanation 1

The question you asked is about how to log all activities for objects in an S3 bucket and keep the logs for 5 years. The security team also must receive an email notification every time there is an attempt to delete data in the S3 bucket. The combination of steps that will meet these requirements most cost-effectively are A. Configure AWS CloudTrail to log S3 data events, D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic, and F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use CloudTrail to log S3 data events such as GetObject, DeleteObject, and PutObject for your S3 bucket. You can also use CloudTrail to log S3 management events such as CreateBucket, DeleteBucketPolicy, and PutBucketAcl for your S3 bucket. You can configure CloudTrail to deliver the log files to a new or existing S3 bucket.

Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. You can use EventBridge to create rules that match events from your S3 bucket and route them to targets such as AWS Lambda functions, Amazon Kinesis streams, or Amazon SNS topics. You can configure EventBridge to receive object deletion events from your S3 bucket by using an event pattern that matches the DeleteObject API call and the name of your S3 bucket.

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service that enables you to send messages or notifications to subscribers such as email addresses, mobile devices, HTTP endpoints, or other AWS services. You can use SNS to create a topic that receives messages from EventBridge when an object deletion event occurs in your S3 bucket. You can also subscribe your security team’s email addresses to the topic so that they receive an email notification every time there is an attempt to delete data in the S3 bucket. An

An S3 Lifecycle policy is a set of rules that define actions that Amazon S3 applies to a group of objects. You can use an S3 Lifecycle policy to manage your objects during their lifetime. For example, you can use an S3 Lifecycle policy to transition objects to lower-cost storage classes such as S3 Standard-IA or S3 Glacier after a period of time or delete objects after a period of time. You can configure an S3 Lifecycle policy for the new S3 bucket that stores the CloudTrail logs and specify that the logs should be kept for 5 years before being deleted. The

The other options are not correct because:

B. Configure S3 server access logging for the S3 bucket. This option is not correct because it does not provide detailed API tracking for Amazon S3 bucket-level and object-level operations. Server access logging provides records for requests that are made to a bucket such as requester, bucket name, request time, request action, response status, and error code. However, server access logging does not include information such as event name, source IP address, user identity, or additional request parameters.

C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES). This option is not correct because it does not leverage the benefits of using EventBridge and SNS for event routing and notification delivery. SES is a cloud-based email sending service that helps digital marketers and application developers send marketing, notification, and transactional emails. However, SES is not designed for receiving events from Amazon S3 or sending notifications to multiple subscribers.

E. Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering. This option is not correct because it does not leverage the benefits of using CloudTrail and S3 for logging and storing data events. Timestream is a fast, scalable, fully managed time series database service that makes it easy to store and analyze trillions of time series data points per day such as IoT telemetry data or DevOps metrics. However, Timestream is not designed for logging and storing API calls for Amazon S3 or other AWS services.

Explanation 2

To meet the requirements most cost-effectively, the following combination of steps should be taken:

A. Configure AWS CloudTrail to log S3 data events.

By configuring AWS CloudTrail to log S3 data events, all activities for objects in the S3 bucket will be recorded, including object deletion events. This is a cost-effective way to log all activities for the S3 bucket.

D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.

By configuring Amazon S3 to send object deletion events to an Amazon EventBridge event bus, which then publishes to an Amazon SNS topic, the company’s security team can receive email notifications through Amazon SNS whenever there is an attempt to delete data in the S3 bucket. This is a cost-effective way to meet the email notification requirement.

F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

By configuring a new S3 bucket to store the logs, the company can ensure that the logs will be kept separate from the sensitive data. To meet the requirement of keeping the logs for 5 years, an S3 Lifecycle policy can be configured to transition the logs to a lower-cost storage class (e.g., S3 Glacier Deep Archive) after a certain period of time and eventually delete them after 5 years. This approach is cost-effective for long-term log storage.

In summary, the combination of steps A, D, and F will meet the company’s requirements in the most cost-effective manner.

Explanation 3

To meet the requirements of logging all activities for objects in the S3 bucket and keeping the logs for 5 years, you can configure AWS CloudTrail to log S3 data events. You can also configure S3 server access logging for the S3 bucket.

To meet the requirement of sending an email notification every time there is an attempt to delete data in the S3 bucket, you can configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.

You can also configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

Explanation 4

The combination of steps that will meet these requirements MOST cost-effectively is:

  • A. Configure AWS CloudTrail to log S3 data events. This will log all activities for objects in the S3 bucket, including deletion events.
  • C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES). This will send an email notification to the security team every time there is an attempt to delete data in the S3 bucket.
  • F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy. This will store the logs for 5 years and then delete them.

The other options are not as cost-effective.

  • B. Configure S3 server access logging for the S3 bucket. This will log all access to the S3 bucket, not just deletion events. This will generate a lot of logs, which will increase the cost of storage.
  • D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic. This will send an email notification to the security team every time there is an attempt to delete data in the S3 bucket. However, it will also send an email notification for every other type of event that occurs in the S3 bucket, which will increase the cost of email notifications.
  • E. Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering. This will store the logs in Amazon Timestream, which is a time series database. This will increase the cost of storage, and it will also increase the cost of querying the logs.

Explanation 5

The combination of steps that will meet these requirements MOST cost-effectively are Option A, Option B, and Option D.

Here’s why:

  • Option A: AWS CloudTrail can be used to log S3 data events. This will help the company log all activities for objects in the S3 bucket and keep the logs for 5 years.
  • Option B: S3 server access logging can be configured for the S3 bucket. This will help the company log all activities for objects in the S3 bucket and keep the logs for 5 years.
  • Option D: Amazon S3 can be configured to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic. This will help the company’s security team receive an email notification every time there is an attempt to delete data in the S3 bucket.

Explanation 6

To meet the requirements most cost-effectively, the following combination of steps should be taken:

A. Configure AWS CloudTrail to log S3 data events.

By configuring AWS CloudTrail to log S3 data events, you will be able to record all activities related to objects in the S3 bucket, including object-level API activity. This will help you keep track of all actions performed on the bucket and its objects, allowing you to meet the requirement of logging all activities.

D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.

By configuring Amazon S3 to send object deletion events to Amazon EventBridge, you can create a rule that triggers an Amazon SNS topic when a deletion event is detected. This will allow the company’s security team to receive email notifications every time there is an attempt to delete data in the S3 bucket.

F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.

To store the logs for 5 years, you can create a new S3 bucket and configure an S3 Lifecycle policy on it. The Lifecycle policy can be set to transition objects to different storage classes, such as Amazon S3 One Zone-Infrequent Access, to reduce storage costs over time. Additionally, you can set a policy to expire objects after 5 years, ensuring that logs are kept for the required duration.

In summary, the most cost-effective combination of steps to meet the requirements is to:

1. Configure AWS CloudTrail to log S3 data events (A).

2. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic (D).

3. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy (F).

Explanation 7

The combination of steps that will meet the requirements most cost-effectively is:

A. Configure AWS CloudTrail to log S3 data events.
B. Configure S3 server access logging for the S3 bucket.
D. Configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.

  • Step A: Configuring AWS CloudTrail to log S3 data events allows you to capture detailed information about the actions taken on the objects in the S3 bucket. This includes actions such as object creation, deletion, and modification. CloudTrail logs provide a comprehensive audit trail for compliance and security purposes. By enabling CloudTrail, you can ensure all activities for objects in the S3 bucket are logged.
  • Step B: Configuring S3 server access logging enables the logging of requests made to the S3 bucket. This includes access attempts, such as GetObject requests, PutObject requests, etc. Server access logs provide valuable information about who accessed the objects and when. By enabling server access logging, you can ensure comprehensive logging of all activities related to the S3 bucket.
  • Step D: Configuring Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon SNS topic allows you to receive email notifications whenever there is an attempt to delete data in the S3 bucket. By setting up this event-driven architecture, you can trigger notifications whenever an object deletion event occurs. This helps the security team stay informed and take necessary actions if unauthorized deletions are attempted.

Steps C, E, and F are not necessary or may incur additional costs:

  • Step C: Configuring Amazon S3 to send object deletion events to Amazon SES (Simple Email Service) may add unnecessary complexity. Sending the deletion events to an EventBridge event bus with an SNS topic (as described in step D) is a more direct and efficient way to achieve the desired email notifications.
  • Step E: Configuring Amazon S3 to send logs to Amazon Timestream is not necessary for this scenario. Amazon Timestream is a purpose-built time series database and is typically used for analyzing time-series data at scale. Since the requirement is to keep logs for 5 years and not perform real-time analysis, using Timestream would introduce unnecessary costs.
  • Step F: While configuring a new S3 bucket with an S3 Lifecycle policy to store the logs is a valid option, it is not explicitly required in this scenario. The logs can be stored in the same S3 bucket where the sensitive data is stored or in a separate bucket. The focus of the requirements is on logging activities and receiving email notifications, rather than on specific storage lifecycle management.

In summary, the combination of steps A, B, and D provides a cost-effective solution to meet the logging and notification requirements for the sensitive data stored in the Amazon S3 bucket.

Explanation 8

The most cost-effective way to meet these requirements is to configure AWS CloudTrail to log S3 data events, configure S3 server access logging for the S3 bucket, and configure Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.

AWS CloudTrail is a service that records all API calls made to your AWS account. This includes calls made to Amazon S3. By configuring CloudTrail to log S3 data events, you will be able to track all activities for objects in the S3 bucket.

S3 server access logging records all requests made to your S3 bucket. This includes requests to delete objects. By configuring S3 server access logging, you will be able to track all attempts to delete data in the S3 bucket.

Amazon EventBridge is a service that allows you to route events from one AWS service to another. By configuring Amazon S3 to send object deletion events to an Amazon EventBridge event bus, you will be able to send notifications to Amazon SNS whenever an object is deleted from the S3 bucket.

Amazon SNS is a service that allows you to send notifications to email addresses or other endpoints. By configuring Amazon S3 to send object deletion events to an Amazon EventBridge event bus that publishes to an Amazon SNS topic, you will be able to send email notifications to the security team whenever an object is deleted from the S3 bucket.

This combination of steps will meet the company’s requirements in the most cost-effective way.

Explanation 9

The correct answer is A, D, and F.

A is correct because AWS CloudTrail can track both bucket-level and object-level operations on Amazon S3, while providing detailed information such as the identity of the requester, the time of the request, the source IP address of the request, and more . CloudTrail is also more cost-effective than S3 server access logging, which charges for both the storage and requests of the log files.

D is correct because Amazon EventBridge can receive object deletion events from Amazon S3 and route them to an Amazon SNS topic, which can then send email notifications to subscribers. This is more cost-effective than using Amazon SES, which charges for both sending and receiving emails.

F is correct because storing the logs in a new S3 bucket with a lifecycle policy can reduce the storage costs by transitioning the logs to a lower-cost storage class after a certain period of time, and deleting them after 5 years. This is more cost-effective than using Amazon Timestream, which is a time-series database service that charges for both ingestion and storage of data.

Explanation 10

The combination of steps that will meet these requirements MOST cost-effectively is A, C, and F.

  • A. Configure AWS CloudTrail to log S3 data events. This will log all activities for objects in the S3 bucket, including attempts to delete data.
  • C. Configure Amazon S3 to send object deletion events to Amazon Simple Email Service (Amazon SES). This will send an email notification to the security team every time there is an attempt to delete data in the S3 bucket.
  • F. Configure a new S3 bucket to store the logs with an S3 Lifecycle policy. This will store the logs for 5 years.

Here are some additional details about each of these services:

  • AWS CloudTrail is a service that records all API calls made to AWS services. This includes calls made to Amazon S3.
  • Amazon Simple Email Service (Amazon SES) is a service that allows you to send emails. You can use Amazon SES to send an email notification to the security team every time there is an attempt to delete data in the S3 bucket.
  • Amazon S3 Lifecycle is a service that allows you to manage the lifecycle of your objects in Amazon S3. You can use Amazon S3 Lifecycle to store the logs for 5 years.

Reference

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.