Question #726
A company is storing confidential documents in an Amazon S3 bucket. The company must log all access requests to objects in the S3 bucket and retain the logs for 7 years. The security team must also receive an email notification whenever there is an unauthorized access attempt detected.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)
Configure AWS CloudTrail to log S3 data events.
Configure S3 server access logging for the S3 bucket.
Configure Amazon S3 to send object access events to Amazon Simple Email Service (Amazon SES).
Configure Amazon S3 to send object access events to an Amazon EventBridge event bus that publishes to an Amazon Simple Notification Service (Amazon SNS) topic.
Configure Amazon S3 to send the logs to Amazon Timestream with data storage tiering.
Configure a new S3 bucket to store the logs with an S3 Lifecycle policy.
Explanation
A: AWS CloudTrail logs S3 data events, capturing all object access attempts (including unauthorized ones), which is essential for auditing. D: Amazon S3 sends access events to EventBridge, which publishes to an SNS topic to trigger email alerts. While S3 event notifications typically exclude failed attempts, CloudTrail logs unauthorized access, and EventBridge can be configured to monitor these logs for alerts. F: Storing logs in S3 with a lifecycle policy ensures cost-effective retention by transitioning logs to cheaper storage classes (e.g., Glacier Deep Archive) over time. Other options are incorrect: B (redundant with CloudTrail), C (S3 cannot send directly to SES), and E (Timestream is unsuitable for log storage).
Answer
The correct answer is: ADF