Your security officer has told you that you need to tighten up the logging of all events that occur on your AWS account. He wants to be able to access all events that occur on the account across all regions quickly and in the simplest possible manner. He also wants to make sure that he is the only person who can access these events in the most secure way possible. Which of the following would be the best solution to assure his requirements are met? Choose the correct answer from the options below.

Answer options:

A.Use CloudTrail to log all events to one S3 bucket. Make this S3 bucket only accessible by your security officer with a bucket policy that restricts access to his user only and adds MFA to the policy for a further security level.
B.Use CloudTrail to log all events to an Amazon Glacier Vault. Make sure the vault access policy only grants access to the security officer`s IP address.
C.Use CloudTrail to send all API calls to CloudWatch and send an email to the security officer every time an API call is made. Make sure the emails are encrypted.
D.Use CloudTrail to log all events to a separate S3 bucket in each region as CloudTrail cannot write to a bucket in a different region. Use MFA and bucket policies on all the different buckets.

Answer – A
The main points to consider in this scenario is: (1)the security officer needs to access all events that occur on the account across all the regions, and (2) only that security officer should have the access.
Option A is CORRECT because it configures only one S3 bucket for all the CloudTrail log events on the account across all the regions. It also restricts access to the security officer only via the bucket policy. See the images below:
Option B is incorrect because it uses Amazon Glacier vaults, an archival solution and is not used to store the CloudTrail logs.
Option C is incorrect because sending the API calls to CloudWatch is unnecessary. Also, notifying the security officer via email is not a good nor a secure architecture.
Option D is incorrect because CloudTrail provides an option where are all the logs get delivered to a single S3 bucket. Putting all the logs in separate buckets is an overhead .
More information on AWS CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
You can design CloudTrail to send all logs to a central S3 bucket.
For more information on CloudTrail, please visit the below URL-
https://aws.amazon.com/cloudtrail/