A global engineering firm stores project-related sensitive data files in the Amazon S3 bucket in the us-west-1 region. Security Head is looking for a detail of the API calls made to modify files in this bucket.
What additional configuration can be done in AWS CloudTrail to capture these details?

Answer options:

A.Enable read & write management events for trails in AWS CloudTrail.
B.Enable write management events for trails in AWS CloudTrail.
C.Enable Data events for trails in AWS CloudTrail.
D.Enable Insight events for trails in AWS CloudTrail.

Correct Answer: C
CloudTrail Trails can be configured to log data events that provide visibility operations performed on or within a resource. These events capture Amazon S3 object-level API calls like GetObject, DeleteObject, and PutObject. Data events are not enabled by default and need to be explicitly enabled. There are additional charges for capturing these events.
Options A & B are incorrect as Management events will capture only management-related operations performed on a Resource. These events would not capture API calls made to objects within an Amazon S3 bucket.
Option D is incorrect as Insight events capture unusual events only for write management events.
For more information on logging data events for AWS CloudTrail, refer to the following URLs,
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
https://aws.amazon.com/blogs/mt/aws-cloudtrail-best-practices/