You currently operate a web application deployed in AWS.
Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track API activities made to your global resources such as IAM.
The solution must ensure the integrity and confidentiality of your log data.
Which of these solutions would you recommend?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
AWS Identity and Access Management (IAM) is integrated with AWS CloudTrail, a service that logs AWS events made by or on behalf of your AWS account.
CloudTrail logs authenticated AWS API calls and AWS sign-in events and collect this event information in files delivered to Amazon S3 buckets.
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.
This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.
This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
Option B is incorrect because log integrity validation should be enabled.
Option C is incorrect because you should use bucket policies.
Option D is incorrect because you should ideally create one S3 bucket, and there is no need to create three trails.
For more information on Cloudtrail, please visit the below URL:
http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.htmlSure, I'd be happy to provide a detailed explanation of each option and the reasoning behind the correct answer.
Option A: This option recommends creating a new CloudTrail trail that applies to all AWS Regions, and using one new S3 bucket to store the logs. IAM roles, S3 bucket policies, and Multi-Factor Authentication (MFA) Delete are also recommended to ensure the integrity and confidentiality of the log data. Additionally, enabling log file integrity validation for CloudTrail helps to verify the integrity of the log data. This option meets the requirements of the compliance officer by providing a durable logging solution that tracks API activities made to global resources such as IAM, while also ensuring the integrity and confidentiality of the log data. Therefore, Option A is the correct answer.
Option B: This option recommends creating a new CloudTrail with one new S3 bucket to store the logs, and configuring SNS to send log file delivery notifications to your management system. IAM roles and S3 bucket policies are also recommended to secure the S3 bucket. However, MFA Delete is not mentioned, which could pose a security risk. Additionally, this option does not specify how to ensure the confidentiality of the log data. Therefore, Option B is not the best solution.
Option C: This option recommends creating a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. S3 ACLs and MFA Delete are also recommended to ensure the integrity and confidentiality of the log data. However, this option does not specify how to secure the S3 bucket using IAM roles and S3 bucket policies, which could pose a security risk. Therefore, Option C is not the best solution.
Option D: This option recommends creating three new CloudTrail trails with three new S3 buckets to store the logs, one for the AWS Management console, one for AWS SDKs, and one for command-line tools. IAM roles and S3 bucket policies are also recommended to secure the S3 buckets. However, this option is not the most efficient solution since it requires creating multiple CloudTrail trails and S3 buckets, which could lead to increased complexity and higher costs. Additionally, this option does not specify how to ensure the confidentiality of the log data. Therefore, Option D is not the best solution.
In conclusion, Option A is the best solution because it meets all the requirements of the compliance officer, such as tracking API activities made to global resources such as IAM, ensuring the integrity and confidentiality of the log data, and using a single CloudTrail trail and S3 bucket to simplify the logging solution.