Logo
AWS Certified Solutions Architect - Professional / Question #886 of 529

Question #886

A financial services company offers a SaaS platform for fraud detection to international banks. The platform is hosted on AWS using multiple accounts within an AWS Organization. Compliance regulations require that all API calls be logged, changes auditable, and logs stored securely with integrity verification. Which solution meets these requirements with the LEAST operational overhead?

A

Create an AWS CloudTrail trail in each member account. Deploy each trail to all AWS Regions. Use separate Amazon S3 buckets with MFA delete, encryption, and versioning enabled. Enable log file validation for each trail.
B

Create an AWS CloudTrail organization trail in the management account. Deploy the trail to all AWS Regions. Use a single Amazon S3 bucket with MFA delete, encryption, and versioning enabled. Enable log file validation for the trail.
C

Create an AWS CloudTrail organization trail in the management account. Deploy the trail to all AWS Regions. Use a single Amazon S3 bucket with MFA delete and encryption enabled. Enable log file validation for the trail.
D

Create an AWS CloudTrail trail in the management account. Deploy the trail to all AWS Regions. Use a single Amazon S3 bucket with versioning and encryption. Configure Amazon SNS to notify when logs are delivered.

Explanation

The correct answer is B because:
1. Organization Trail: Creating an organization trail in the management account ensures all API activity across all member accounts and regions is logged automatically, eliminating the need to configure trails individually (reducing operational overhead).
2. Single S3 Bucket: Using one bucket simplifies management and reduces complexity compared to maintaining multiple buckets (as in Option A).
3. Security & Compliance: MFA delete prevents accidental deletion, encryption ensures data security, versioning enables audit trails for changes, and log file validation guarantees log integrity.

Why other options are incorrect:
- A: Requires manual setup of trails in each account and multiple buckets, increasing overhead.
- C: Lacks S3 versioning, which is critical for auditing changes to logs.
- D: Uses a non-organization trail (only management account activity) and omits MFA delete, failing to meet compliance requirements.

Key Points:
- Use AWS Organizations + CloudTrail organization trails for multi-account logging with minimal effort.
- Enable S3 versioning, MFA delete, encryption, and CloudTrail log file validation to meet security and compliance requirements.

Answer

The correct answer is: B