Secure Steps for Log File Integrity Protection

Answers: A and C.

Option A is CORRECT because AWS CloudTrail is used to log all AWS API activity for all regions in all of its accounts.

Option B is incorrect because querying the Trusted Advisor Cloud trail is not possible.

Option C is CORRECT because to determine whether a Log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTraii log file integrity validation.

This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.

This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

Option D is incorrect because AWS System Manager cannot be used as a service to monitor access policies.

Option E is incorrect because Security Groups are used for EC2 Instances and not S3 buckets.

For more information on AWS CloudTrail log file validation, refer the URL below:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

For more information on delivering CloudTrail logs from multiple accounts, please visit the below URL.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

The correct answers are A and C.

Explanation: A. Create an S3 bucket in a dedicated log account and grant the other accounts write only access. Deliver all log files from every account to this S3 bucket. This solution recommends creating a dedicated S3 bucket in a separate AWS account solely for storing the CloudTrail logs. The other accounts would only be granted write access, which would prevent unauthorized modifications or deletions of log files by users or processes in those accounts. Additionally, delivering all log files to the same bucket in a central location simplifies log management.

C. Enable Cloud Trail log file integrity validation This solution recommends enabling CloudTrail log file integrity validation, which is a feature that helps detect any unauthorized modifications to log files. This feature works by calculating a checksum for each log file and comparing it to the original checksum recorded by CloudTrail when the file was initially created. Any changes to the log file will result in a different checksum, which will trigger an alert or failure in the integrity check.

B. Write a Lambda function that queries the Trusted Advisor Cloud Trail checks. Run the function every 10 minutes. This solution is incorrect because it does not address the protection of log file integrity. Writing a Lambda function that queries Trusted Advisor Cloud Trail checks every 10 minutes can help detect potential security issues or non-compliant configurations in CloudTrail, but it does not protect the log files themselves from alteration.

D. Use Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing Cloud Trail logs. This solution is incorrect because it does not protect the log files from intentional or unintentional alteration. Although monitoring the access policies of S3 buckets containing CloudTrail logs can help ensure that only authorized users or processes have access to those logs, it does not address the issue of protecting the logs themselves from modification.

E. Create a Security Group that blocks all traffic except calls from the CloudTrail service. Associate the security group with all the CloudTrail destination S3 buckets. This solution is not the best option because it is not sufficient to protect the log files from intentional or unintentional alteration. Creating a Security Group that blocks all traffic except calls from the CloudTrail service can help ensure that only authorized users or processes can access the CloudTrail logs, but it does not protect the logs themselves from unauthorized modification or deletion.