Your company has defined a set of S3 buckets in AWS.
They need to monitor the S3 buckets and know the source IP address and the person who make requests to the S3 bucket.
How can this be achieved?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
The AWS Documentation mentions the following.
Amazon S3 is integrated with AWS CloudTrail.
CloudTrail is a service that captures specific API calls made to Amazon S3 from your AWS account and delivers the log files to an Amazon S3 bucket that you specify.
It captures API calls made from the Amazon S3 console or from the Amazon S3 API.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request, when it was made, and so on.
Options A and C are incorrect because these services cannot be used to get the source IP address of the calls to S3 buckets.
Option D is incorrect because there is no need to record the object-level API activity in the S3 bucket.
Alternatively, you can use S3 server access logging to get the required information.
For more information on CloudTrail logging, please refer to the below Link:
https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.htmlThe correct answer to the question is B. Monitor the S3 API calls by using CloudTrail logging.
AWS CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service in your AWS account. It enables governance, compliance, operational auditing, and risk auditing of your AWS account. CloudTrail can be used to monitor S3 API calls and provides information such as the source IP address and the person who made the request to the S3 bucket.
CloudTrail captures information about S3 bucket operations performed by AWS Management Console, AWS CLI, AWS SDKs, and other AWS services. With CloudTrail, you can log, continuously monitor, and retain event history related to S3 bucket operations. CloudTrail logs can be stored in Amazon S3, CloudWatch Logs, or Amazon S3 Glacier.
On the other hand, VPC flow logs can be used to capture information about the IP traffic going to and from network interfaces in an Amazon VPC. It does not provide information about S3 bucket operations. Hence, option A is incorrect.
Option C, monitoring S3 API calls using CloudWatch logging is not entirely accurate since CloudWatch Logs can be used to monitor logs generated by AWS services, custom applications, and third-party applications. However, it does not capture the detailed information about the S3 bucket operations such as the source IP address and the person who made the request.
Finally, option D, S3 object-level logging, only logs operations related to objects within a bucket, such as create, delete, and modify operations on objects. It does not provide information about the source IP address and the person who made the request.
Therefore, the best option for achieving the requirement of monitoring the S3 buckets and knowing the source IP address and the person who made requests to the S3 bucket is to enable CloudTrail logging.