Question 140:
An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. Which of the following options is the best way to configure access for the auditor to view event logs from all accounts?
Answer options:
A.Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts. B.Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files. C.Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail. D.Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS S3 bucket in the primary account. Create an IAM user for the auditor with an IAM policy to S3 read-only access for only the bucket which stores the CloudTrail logs in the primary account.