A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this
information for their internal security and access audits. Which of the following will meet the Customer
requirement?
A.
Enable AWS CloudTrail to audit all Amazon S3 bucket access.
B.
Enable server access logging for all required Amazon S3 buckets.
C.
Enable the Requester Pays option to track access via AWS Billing
D.
Enable Amazon S3 event notifications for Put and Post.
B
if its just for internal audit, then Server access logging, I assume is sufficient:
http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
For external audits I would go for CloudTrail:
http://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html
Correct answer is B
answer is b explanation JM
A – is correct
CT is for bucklet level and server access logs is for object level
You can use AWS CloudTrail logs together with server access logs for Amazon S3. CloudTrail logs provide you with detailed API tracking for operations on your S3 bucket, while server access logs for Amazon S3 provide you visibility into object-level operations on your data in Amazon S3. For more information about server access logs, see Server Access Logging.
B
http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
B
Server Access log information can be useful in security and access audits
Answer is: A
keywords in the question: “track access to their Amazon Simple Storage Service (S3) buckets”
http://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html
You can use AWS CloudTrail logs together with server access logs for Amazon S3. CloudTrail logs provide you with detailed API “tracking for operations on your S3 bucket”
http://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html
CloudTrail logs together with CloudWatch for Amazon S3. CloudTrail integration with CloudWatch logs delivers “S3 bucket level”
I could be wrong, but this is my 2 cents worth analysis.
Bagos, CloudTrail track access only for API calls, if you access the bucket for example, by console, It wont be tracked.
The console also makes API calls. From the first link above:
“CloudTrail captures API calls made *from the Amazon S3 console* or from the Amazon S3 API.”
B
Server Access Logging
Overview
In order to track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits.
B
anytime the word “audit” is listed I’m tempted to automatically pick CloudTrail but B looks correct.
Server access logs are useful for many applications because they give bucket owners insight into the nature of requests made by clients not under their control. By default, Amazon S3 doesn’t collect service access logs, but when you enable logging Amazon S3 delivers access logs to your bucket on an hourly basis.
A customer wants to track access to their Amazon Simple Storage Service (S3) buckets
this is only S3 not the server systems log so CT is the correct option
I go for A
Its B
CloudTrail tracks API access for infrastructure-changing events, in S3 this means creating, deleting, and modifying bucket. It is focused on API methods that modify buckets
S3 Server Access Logging provides web server-style logging of access to the objects in an S3 bucket. This logging is granular to the object, includes read-only operations, and includes non-API access like static web site browsing.
B
S3 FAQ
Q: Does Amazon S3 support data access auditing?
Yes, customers can optionally configure Amazon S3 buckets to create access log records for all requests made against it. These access log records can be used for audit purposes and contain details about the request, such as the request type, the resources specified in the request, and the time and date the request was processed.
Hence Correct Answer is B:
I think it is A… a bucket level vs an object level…
You can use AWS CloudTrail logs together with server access logs for Amazon S3. CloudTrail logs provide you with detailed API tracking for Amazon S3 bucket-level and object-level operations, while server access logs for Amazon S3 provide you visibility into object-level operations on your data in Amazon S3.
I think Bagos link explains it well.
For me is A
“Internal security” is my keyword. Internal security is about corporate security of a team.
After 150 questions I have to say one thing. These are real questions of tests?? If these are real test questions I find it a shame to be played with the uncertainty of words, incomplete statements or criteria as dubious as the ones I am seeing. It is about valuing knowledge and not personal interpretations. Very disappointed
A
yes, for “internal security and access audits”, you should use CloudTrail.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request, when it was made, and so on. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues.
CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.