As a system administrator, you would like to enable CloudTrail for all accounts in an AWS Organization. The logs of the trail will be stored in an existing S3 bucket in the us-east-1 region. SSE-KMS encryption must be enabled in the S3 bucket with the log files encrypted by a customer-managed AWS KMS key. To achieve this, which of the following configurations is required?

Answer options:

A.The key material original value of the KMS key must be “External”.
B.The KMS key and the S3 bucket must be in the same region.
C.Log file validation must be enabled in the trail.
D.The KMS key and the S3 bucket must be owned by the same AWS account.

Correct Answer: B
Option A is incorrect because there is no such requirement for the key material`s original value of the KMS key. The original value can be KMS (default), External or Custom key store.
Option B is CORRECT because the KMS key must be in the same region us-east-1 to be used by the S3 bucket. Please also check the following snapshot when creating a trail:
Option C is incorrect because Log file validation uses digest files to verify the integrity of log files, and this setting is optional.
Option D is incorrect because the KMS key may be owned by another AWS account as long as the key policy is properly configured, allowing CloudTrail to use it for encryption and decryption.
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html?icmpid=docs_cloudtrail_console