Enable Encryption for AWS CloudTrail Logs

Correct Answer: B.

By default, the CloudTrail logs delivered to the S3 bucket are encrypted by server-side encryption using AWS using SSE-S3.

A is incorrect because - You can encrypt data in transit using SSL or client-side encryption.

To encrypt data at rest in Amazon S3, you can use S3 server-side encryption or client-side encryption.

However, we do not need to encrypt data in transit using SSL because CloudTrail logs are automatically encrypted using AWS SSE-S3 server-side encryption.

C and D are incorrect since the CloudTrail logs are encrypted by default.

As an AWS Systems Administrator, if you have enabled CloudTrail logs for your company's account, you can ensure that the logs are encrypted by using AWS Key Management Service (KMS).

Option A is not correct as TLS certificates are used for secure communication between the client and the server, whereas the question is about encrypting the logs.

Option B is not correct as while it's true that CloudTrail logs are secure by default, they are not encrypted by default.

Option C is not the best option as it only enforces encryption for a specific bucket. It does not ensure that all logs are encrypted.

Option D is the correct answer as it suggests using AWS KMS to encrypt the CloudTrail logs. AWS KMS is a fully managed service that makes it easy to create and control the encryption keys used to encrypt your data.

When AWS KMS is used to encrypt CloudTrail logs, the logs are stored in an encrypted format, and the encryption keys are managed by AWS KMS. This ensures that the data is encrypted at rest and is protected from unauthorized access. Additionally, AWS KMS provides a simple way to manage and rotate encryption keys, making it easy to maintain the security of your data.

In conclusion, the best advice for encrypting CloudTrail logs would be to use AWS KMS.