Practice free →
HomeAWS Securitycloudcomputingscsloggingmon › An architect needs a CENTRALISED, immutable, wri…

An architect needs a CENTRALISED, immutable, write-once log archive across all AWS accounts in an Organization — protecting CloudTrail logs from tampering or deletion by a compromised admin. Which design fits BEST?

AKeeping logs only in the source account where they can be deleted
BOrg-trail CloudTrail delivering logs to an S3 bucket in a dedicated logging account with S3 Object Lock + bucket policy denying delete
CDisabling CloudTrail to avoid log-storage cost
DPer-account CloudTrail with no central archive and no Object Lock
Answer & Solution
Correct answer: B. Org-trail CloudTrail delivering logs to an S3 bucket in a dedicated logging account with S3 Object Lock + bucket policy denying delete
Org-trail + dedicated log account + Object Lock is the canonical tamper-resistant archive (per SCS-C02 §2.3, §6.1). The other options expose logs to tampering.
Solve this in the app — AWS Security practice & 24k+ MCQs →
Related questions