Configuring CloudTrail Logs Delivery to Existing S3 Bucket
Question
A start-up firm has enabled AWS CloudTrail in the us-west-1 region delivering all logs to an Amazon S3 bucket in the same region.
Recently the firm has expanded to other regions.
The security team is looking for CloudTrail logs from all the regions to be delivered to the existing Amazon S3 bucket in the us-west-1 region. What configuration can be done to meet these requirements in the most efficient way?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D.
CloudTrail Trails can be configured as multi-region trails which will log events from all regions.
These logs can be delivered to a single Amazon S3 bucket.
CloudTrail should have write permission on this Amazon S3 bucket to deliver logs.
Option A is incorrect as full permission is not required.
Only write permission is necessary to deliver logs from all regions to an Amazon S3 bucket.
Option B & C are incorrect as although this will work, this will incur additional admin work for configuring replication between the Amazon S3 bucket in each region and the Amazon S3 bucket in the us-west-1 region.
For more information on aggregating log files to a single Amazon S3 bucket, refer to the following URL,
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.htmlThe correct answer to this question is B. Configure CloudTrail as a multi-region trail to deliver log files in the Amazon S3 bucket in each region and then use Cross-region Replication (CRR) to aggregate log files to the Amazon S3 bucket in the us-west-1 region.
Explanation: CloudTrail is a service that records all API calls made in an AWS account and delivers them as log files to an Amazon S3 bucket. CloudTrail can be configured as a single-region trail or a multi-region trail.
A single-region trail logs all events that occur within an AWS region and delivers the logs to an S3 bucket within that same region. A multi-region trail logs events from all the regions in an AWS account and delivers the logs to an S3 bucket in a single region of the user's choice.
In this scenario, the start-up firm has enabled CloudTrail in the us-west-1 region and is delivering all logs to an S3 bucket in the same region. However, as the firm has expanded to other regions, the security team requires CloudTrail logs from all the regions to be delivered to the existing Amazon S3 bucket in the us-west-1 region.
To meet these requirements in the most efficient way, CloudTrail should be configured as a multi-region trail to deliver log files to the Amazon S3 bucket in each region. This ensures that CloudTrail logs from all regions are captured and delivered to the corresponding S3 bucket in the same region.
To aggregate log files to the Amazon S3 bucket in the us-west-1 region, Cross-region Replication (CRR) can be used. CRR is a feature of S3 that automatically replicates objects from one S3 bucket to another across different AWS regions. In this scenario, CRR can be used to replicate the CloudTrail logs from the S3 buckets in the different regions to the S3 bucket in the us-west-1 region.
Therefore, the correct configuration to meet the security team's requirements in the most efficient way is to configure CloudTrail as a multi-region trail to deliver log files in the Amazon S3 bucket in each region and then use Cross-region Replication (CRR) to aggregate log files to the Amazon S3 bucket in the us-west-1 region.
