Home › AWS Security › cloudcomputing › scsloggingmon › An architect needs a CENTRALISED, immutable, wri…
An architect needs a CENTRALISED, immutable, write-once log archive across all AWS accounts in an Organization — protecting CloudTrail logs from tampering or deletion by a compromised admin. Which design fits BEST?
AKeeping logs only in the source account where they can be deleted
BOrg-trail CloudTrail delivering logs to an S3 bucket in a dedicated logging account with S3 Object Lock + bucket policy denying delete
CDisabling CloudTrail to avoid log-storage cost
DPer-account CloudTrail with no central archive and no Object Lock
Answer & Solution
Correct answer: B. Org-trail CloudTrail delivering logs to an S3 bucket in a dedicated logging account with S3 Object Lock + bucket policy denying delete
Org-trail + dedicated log account + Object Lock is the canonical tamper-resistant archive (per SCS-C02 §2.3, §6.1). The other options expose logs to tampering.
Related questions
Which AWS feature lets a security engineer aggregate AWS Config findings across all accounA security engineer notices CloudWatch alarms aren't firing for an application metric. WhiWhich AWS service streams logs in near-real-time to OpenSearch / S3 / Redshift / Splunk foWhich AWS service is BEST suited for monitoring Application Load Balancer access logs at pWhich CloudTrail feature lets a security engineer DETECT unusual API-call patterns (e.g. sWhich AWS service lets a security engineer query CloudWatch Logs with a purpose-built querWhich CloudWatch feature converts a regex pattern in log events into a metric — used to alWhich AWS service stores log data with subscription filters, metric filters, and integrati