AWS CloudTrail Configuration for Enabling CloudTrail in an AWS Organization

Enable CloudTrail in an AWS Organization | CloudTrail Configuration Guide

Question

As a system administrator, you would like to enable CloudTrail for all accounts in an AWS Organization.

The logs of the trail will be stored in an existing S3 bucket in the us-east-1 region.

SSE-KMS encryption must be enabled in the S3 bucket with the log files encrypted by a customer-managed AWS KMS key.

To achieve this, which of the following configurations is required?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Option A is incorrect because there is no such requirement for the key material's original value of the KMS key.

The original value can be KMS (default), External or Custom key store.

Option B is CORRECT because the KMS key must be in the same region us-east-1 to be used by the S3 bucket.

Please also check the following snapshot when creating a trail:

Option C is incorrect because Log file validation uses digest files to verify the integrity of log files, and this setting is optional.

Option D is incorrect because the KMS key may be owned by another AWS account as long as the key policy is properly configured, allowing CloudTrail to use it for encryption and decryption.

Reference:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html?icmpid=docs_cloudtrail_console
Log file SSE-KMS encryption Info
Enabled

Customer managed AWS KMS key
© New
© Existing

AWS KMS alias

Q Choose a KMS alias

KMS key and $3 bucket must be in the same region.

To enable CloudTrail for all accounts in an AWS Organization and store the logs in an S3 bucket with SSE-KMS encryption enabled using a customer-managed AWS KMS key, the following configuration is required:

B. The KMS key and the S3 bucket must be in the same region.

This is because SSE-KMS encryption requires that the KMS key and the S3 bucket be in the same AWS Region. If they are not in the same region, SSE-KMS encryption cannot be enabled.

A. The key material original value of the KMS key must be “External” is incorrect. This is because the "External" value is used when a KMS key is imported and its key material is provided by the user. However, customer-managed KMS keys are created by AWS KMS and do not have an "External" key material option.

C. Log file validation must be enabled in the trail is incorrect. While enabling log file validation can improve the integrity of CloudTrail log files, it is not a requirement for enabling SSE-KMS encryption.

D. The KMS key and the S3 bucket must be owned by the same AWS account is incorrect. It is not necessary for the KMS key and the S3 bucket to be owned by the same AWS account to enable SSE-KMS encryption. However, the AWS account that owns the KMS key must have the necessary permissions to use the key to encrypt objects in the S3 bucket.