Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?

A company monitors its account activity using AWS CloudTrail. and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket.

Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?
A . Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.
B . Enable log file integrity validation and use digest files to verify the hash value of the log file.
C . Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.
D . Enable S3 server access logging to track requests made to the log bucket for security audits.

View Answer

Answer: B

Explanation:

When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that Reference the log files for the last hour and contains a hash of each. This file is called a digest file. CloudTrail signs each digest file using the private key of a public and private key pair. After delivery, you can use the public key to validate the digest file. CloudTrail uses different key pairs for each AWS region

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html