As an AWS systems administrator for your company, you have enabled CloudTrail logs for your company’s account. The head of IT operations has also advised that the logs need to be encrypted. As the AWS admin for the company, what advice would you offer?

Answer options:

A.Enable TLS certificate for the CloudTrail Logs.
B.CloudTrails logs are automatically encrypted, hence no cause for alarm.
C.Create bucket policy on the S3 to enforce encryption of this trails .
D.Use AWS KMS to encrypt the trails.

Correct Answer: B
By default, the CloudTrail logs delivered to the S3 bucket are encrypted by server-side encryption using AWS using SSE-S3.
A is incorrect because - You can encrypt data in transit using SSL or client-side encryption. To encrypt data at rest in Amazon S3, you can use S3 server-side encryption or client-side encryption. However, we do not need to encrypt data in transit using SSL because CloudTrail logs are automatically encrypted using AWS SSE-S3 server-side encryption.
C and D are incorrect since the CloudTrail logs are encrypted by default.