A company has hired a third-party security auditor, and the auditor needs read-only access to the required AWS resources and logs of all VPC records and events that will occur on AWS. How can the company meet the auditor`s requirements without compromising with the security in the AWS environment?

Answer options:

A.Create a role that has the required permissions for the auditor.
B.Create an SNS notification that sends the CloudTrail log files to the auditor`s email when CloudTrail delivers the logs to S3 but does not allow the auditor access to the AWS environment.
C.The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to the third-party auditor.
D.Enable CloudTrail and specify the S3 bucket for your log file delivery.Create an IAM user who has read-only permission to the required AWS resources, including the VPC logs and the bucket containing CloudTrail logs.

Answer – D
Option A is incorrect. IAM roles are a secure way to grant permissions to entities that you trust.But the entities should be an IAM user in another account or a User from a corporate directory who use identity federation with SAML. None of these are specified in the question.
Option B is incorrect because sending the logs via email is not a good architecture.
Option C is incorrect because granting the auditor access to AWS resources is not AWS`s responsibility. It is the AWS user or account owner`s responsibility.
AWS CloudTrail is now enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. 
But if you want to access your CloudTrail log files directly or archive your logs for auditing purposes, you can still create a trail and specify the S3 bucket for your log file delivery. 
https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-aws-customers/
More information on AWS CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
For more information on CloudTrail, please visit the below URL-
https://aws.amazon.com/cloudtrail/