An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)
A.
Turn on IAM CloudTrail in each IAM account
B.
Turn on CloudTrail in only the account that will be storing the logs
C.
Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
D.
Create a service-based role for CloudTrail and associate it with CloudTrail in each account
E.
Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it
these are the steps that can meet the requirements in the most secure manner. CloudTrail is a service that records AWS API calls and delivers log files to an S3 bucket. Turning on CloudTrail in each IAM account can help capture all IAM API calls made within those accounts. Updating the bucket policy of the bucket in the account that will be storing the logs can help grant other accounts permission to write log files to that bucket. The other options are either unnecessary or insecure for logging and analyzing IAM API calls.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit