You need to ensure that the CloudTrail logs which are being delivered to your AWS account are encrypted. How can this be achieved in the easiest way possible?

Answer options:

A.Don’t do anything since CloudTrail logs are automatically encrypted.
B.Enable S3-SSE for the underlying bucket which receives the log files.
C.Enable S3-KMS for the underlying bucket which receives the log files.
D.Enable KMS encryption for the logs which are sent to Cloudwatch.

Answer: A
Option A is CORRECT because, by default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
Option B is incorrect because AWS CloudTrail provides encryption by default using S3-SSE.Option C is incorrect because AWS CloudTrail provides encryption by default using S3-SSE, and there is no need for additional encryption using S3-KMS.
Option D is incorrect because AWS CloudTrail provides encryption by default using S3-SSE, and there is no need for additional encryption by enabling KMS on logs sent to CloudWatch. The question is for CloudTrail logs to S3 instead of CloudWatch logs.
For more information on AWS CloudTrail log encryption, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html