A Security Engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled. While testing the solution, the Security Engineer discovers that the digest files are readable, but the log files are not. What is the MOST likely cause?
A) The log files fail integrity validation and automatically are marked as unavailable.
B) The KMS key policy does not grant the Security Engineer's IAM user or role permissions to decrypt with it.
C) The bucket is set up to use server-side encryption with Amazon S3-managed keys (SSE-S3) as the default and does not allow SSE-KMS-encrypted files.
D) An IAM policy applicable to the Security Engineer's IAM user or role denies access to the "CloudTrail/" prefix in the Amazon S3 bucket
Correct Answer:
Verified
Q119: A distributed web application is installed across
Q120: A company recently experienced a DDoS attack
Q121: An application uses Amazon Cognito to manage
Q122: A company had one of its Amazon
Q123: A Security Engineer has discovered that, although
Q125: A company has enabled Amazon GuardDuty in
Q126: An organization receives an alert that indicates
Q127: A Security Administrator at a university is
Q128: A corporate cloud security policy states that
Q129: The Security team believes that a former
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents