A pharma firm has deployed its application servers on AWS resources across multiple regions. AWS CloudTrail logs from different regions are delivered to a single Amazon bucket in the us-east-1 region. To meet audit compliance, Security Head needs to be guaranteed that no log files are modified post-delivery & should follow the least privilege guidelines for storing logs.
Which configurations can be done to meet this requirement?

Answer options:

A.Enable log file integrity validation. The Amazon S3 bucket, which is the same as CloudTrail log files, enables security policy on folders consisting of digest files.
B.Enable log file integrity validation. The Amazon S3 bucket, which is the same as CloudTrail log files, enables security policy on folders consisting of log files.
C.Enable log file integrity validation. The Amazon S3 bucket, which is different from CloudTrail log files, enables security policy on folders consisting of log files.
D.Enable log file integrity validation. The Amazon S3 bucket, which is different from CloudTrail log files, enables security policy on folders consisting of digest files.

Correct Answer: A
Once log file integrity validation is enabled, CloudTrail creates a digest file that references log files & hash for each of the files. This digest file is delivered in the same Amazon S3 bucket but in a separate folder as that of CloudTrail Log files. Separate security policies can be implemented on a folder consisting of digest files.
Option B is incorrect as Digest Files are delivered in a separate folder as that of CloudTrail log files.
Options C & D are incorrect as digest files are delivered in the same bucket as that of CloudTrail log files.
For more information on CloudTrail Log File Integrity, refer to the following URL,
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html