Your company has several Cloudtrail log files defined. They now need to ensure that files have not been tampered with. How can you ensure this requirement is fulfilled?

Answer options:

A.Change the access for the log files to only allow read access.
B.Enable log file integrity for the log files.
C.Change the IAM policy for the log files to only allow read access.
D.Change the bucket ACL for the log files to only allow read access.

Correct Answer: B
The AWS Documentation mentions the following.
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.
Because it is clearly mentioned in the AWS Documentation how this can be achieved. All other options are incorrect.
For more information on Cloudtrail log file integrity, please refer to the below URL-
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html