AWS Certified SysOps Administrator Practice Exam

Disable ads (and more) with a membership for a one time $4.99 payment

Prepare for the AWS Certified SysOps Administrator Exam. Utilize flashcards, multiple-choice questions, tips, and in-depth explanations. Get exam-ready!

Start Multiple Choice Practice Test
Start Flash Cards

Practice this question and more.

What is the best practice for securing AWS CloudTrail logs from tampering?

  1. Stored in a public S3 bucket

  2. Use CloudTrail log file integrity

  3. Manually backup logs to Glacier

  4. Encrypt logs using KMS

The correct answer is: Use CloudTrail log file integrity

Using CloudTrail log file integrity validation is considered the best practice for securing AWS CloudTrail logs from tampering because it provides a built-in mechanism to ensure the integrity of the log files. When this feature is enabled, CloudTrail creates a checksum for each log file when it is written to S3. This checksum can be used to verify that the log file has not been altered after it was written. This validation mechanism is crucial in an environment where maintaining an accurate audit trail is necessary for compliance and security monitoring. If any changes are made to the log files after they are generated, the checksum will not match when verified, indicating potential tampering. Additionally, while options such as encrypting the logs using KMS and manually backing them up to Glacier may enhance security and protect against certain threats, they do not inherently provide the same level of integrity validation as the built-in feature in CloudTrail. Storing logs in a public S3 bucket contradicts best security practices since it exposes sensitive information to unauthorized access. Thus, relying on CloudTrail's log file integrity validation serves as a more comprehensive approach to ensure logs remain unchanged.

More Questions Like This