Which of these solutions would you recommend?

You currently operate a web application In the AWS US-East region The application runs on an auto-scaled
layer of EC2 instances and an RDS Multi-AZ database Your IT security compliance officer has tasked you to
develop a reliable and durable logging solution to track changes made to your EC2.IAM And RDS resources.
The solution must ensure the integrity and confidentiality of your log dat
a. Which of these solutions would you recommend?

You currently operate a web application In the AWS US-East region The application runs on an auto-scaled
layer of EC2 instances and an RDS Multi-AZ database Your IT security compliance officer has tasked you to
develop a reliable and durable logging solution to track changes made to your EC2.IAM And RDS resources.
The solution must ensure the integrity and confidentiality of your log dat
a. Which of these solutions would you recommend?

A.
Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option
selected Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that
stores your logs.

B.
Create a new cloudTrail with one new S3 bucket to store the logs Configure SNS to send log file delivery
notifications to your management system Use IAM roles and S3 bucket policies on the S3 bucket mat stores
your logs.

C.
Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option
selected Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

D.
Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS
Management console, one for AWS SDKs and one for command line tools Use IAM roles and S3 bucket policies
on the S3 buckets that store your logs.



Leave a Reply 6

Your email address will not be published. Required fields are marked *


DakkuDaddy

DakkuDaddy

Courtesy- Jayendra’s Blog

Answer is A

A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs.

A – Single New bucket with global services option for IAM and MFA delete for confidentiality

B,C,D incorrect as:

B- Missing Global Services for IAM
C- Existing bucket prevents confidentiality
D- 3 buckets not needed, Missing Global services options

Gabriel Wu

Gabriel Wu

Answer is A
but i think the difference between A and C is bucket policy vs S3 ACL.

Bucket policy is for CRUD control from bucket level, while S3 ACL it can restrict access to individual objects.

Refer to this:
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Under certain circumstances, you might find that S3 ACLs meet your needs better than IAM policies or bucket policies. If you want to manage permissions on individual objects within a bucket, S3 ACLs enable you to apply policies on the objects themselves, whereas bucket policies can only be applied at the bucket level. In addition, bucket policies are limited to 20 kb in size, so consider using S3 ACLs if you find that your bucket policy grows too large.