You have enabled CloudTrail logs for your company’s AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?

Answer options:

A.Enable SSL certificates for the CloudTrail logs.
B.There is no need to do anything since the logs will already be encrypted.
C.Enable Server side encryption for the trail.
D.Enable Server side encryption for the destination S3 bucket.

Answer: B
Option B is CORRECT because, by default, AWS CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.
Options A, C and D are incorrect because AWS CloudTrail logs are encrypted by default and there is no need for additional configurations.
For more information on how Cloudtrail works, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html