AWS Logging Solutions for Tracking Changes to Your AWS Resources

AWS Logging Solutions

Prev Question Next Question

Question

Which of the following is a reliable and durable logging solution to track changes made to your AWS resources?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

AWS Identity and Access Management (IAM) is integrated with AWS CloudTrail, a service that logs AWS events made by or on behalf of your AWS account.

CloudTrail logs authenticated AWS API calls and also AWS sign-in events, and collects this event information in files that are delivered to Amazon S3 buckets.

You need to ensure that all services are included.

Hence option B is partially correct.

Option B and D is wrong because it just adds an overhead for having 3 S3 buckets and SNS notifications.

For more information on Cloudtrail, please visit the below URL:

http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

The answer to this question is A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles, S3 bucket policies, and Multi-Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

Here is a detailed explanation of the correct answer:

AWS CloudTrail is a service that provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. CloudTrail logs all API calls made to AWS services in your account, including resource creation, modification, and deletion, as well as AWS management console sign-in events. CloudTrail records this activity in log files and delivers them to an Amazon S3 bucket that you specify.

To set up CloudTrail to track changes made to your AWS resources, you need to create a new trail and specify the S3 bucket where you want to store the logs. In this case, the recommended option is to create a new S3 bucket specifically for CloudTrail logs. This ensures that CloudTrail logs are isolated from other S3 objects, and it provides better control over access and permissions to the logs.

In addition to creating a new trail and S3 bucket, you should also configure IAM roles, S3 bucket policies, and MFA delete on the S3 bucket that stores your logs. IAM roles allow you to grant permissions to CloudTrail to write logs to your S3 bucket, while S3 bucket policies allow you to control access to the S3 bucket and its objects. MFA delete adds an extra layer of security to the S3 bucket by requiring multi-factor authentication for any delete operation.

The global services option in CloudTrail enables logging of events for all AWS services in all regions, which is useful for tracking changes made to your entire AWS account. This option should be selected when creating the CloudTrail trail.

Therefore, the correct answer is A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles, S3 bucket policies, and Multi-Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.