Question 40:
A company uses CloudTrail to log all AWS API activity for all regions in all of its accounts. The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below.
Answer options:
A.Create an S3 bucket in a dedicated log account and grant the other accounts write-only access. Deliver all log files from every account to this S3 bucket. B.Write a Lambda function that queries the Trusted Advisor CloudTrail checks. Run the function every 10 minutes. C.Enable CloudTrail log file integrity validation. D.Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing CloudTrail logs. E.Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with all the CloudTrail destination S3 buckets.