Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion frequently comes from blending CloudTrail logs, S3 access logs, and immutable retention requirements.
In production, this is about understanding exactly how to implement tamper-proof audit trails for sensitive data access attempts while balancing operational overhead and AWS service features. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
An organization named Fintegrity Solutions manages a highly secure internal data lake stored in a private Amazon S3 bucket. The site reliability engineering team needs to capture the IP addresses of all failed authentication attempts made to access objects inside this bucket. Additionally, these logs must be stored in a manner that prevents any overwriting or deletion for at least 90 days to satisfy compliance and audit requirements.
The Requirement: #
- Record IP addresses of failed authentication requests to the S3 bucket.
- Store logs in an immutable manner that prevents overwrite or deletion.
- Retain logs for at least 90 days.
The Options: #
- A) Create an AWS CloudTrail trail. Store the log files in Amazon CloudWatch Logs. Configure the log group with a 90-day retention period.
- B) Create an AWS CloudTrail trail. Store the log files in a separate Amazon S3 bucket. Enable 90 days of CloudTrail log file integrity validation.
- C) Enable S3 server access logging on the original bucket. Store the access logs in Amazon CloudWatch Logs. Configure the log group with a 90-day retention period.
- D) Enable S3 server access logging on the original bucket. Store the logs in a second S3 bucket. Enable S3 Object Lock on the second bucket and configure a 90-day default retention period.
Google adsense #
leave a comment:
Correct Answer #
D
Quick Insight: The Site Reliability Engineering Imperative #
- CloudTrail logs IP info but are not guaranteed immutable without S3 Object Lock.
- S3 server access logs capture raw access attempts including IPs but must be placed on an Object Lock-enabled bucket for tamper-proof retention.
- CloudWatch Logs retention does not enforce immutability nor protect from deletion by IAM users.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
This scenario’s key is the immutable, tamper-proof retention of IP address logs from failed S3 access attempts for 90 days.
-
Why Option D works:
Enabling S3 Server Access Logging on the bucket generates detailed access logs including IP addresses for requests (including failures). Saving these logs to a second S3 bucket allows separation from the source bucket.
Enabling S3 Object Lock in Compliance mode on the logging bucket enforces immutability and legal hold for 90 days, preventing deletion or modifications to log objects. This meets the non-overwrite, non-deletion compliance mandate.
You can configure a default retention period of 90 days via a bucket-level Object Lock configuration, simplifying management. -
Additional notes:
CloudTrail logs are useful but capture more than just S3 access and do not guarantee immutability unless stored in an Object Lock bucket. CloudWatch Logs retention policies do not enforce immutable storage and rely on IAM controls to prevent deletions, which is insufficient for strict compliance.
The Trap (Distractor Analysis): #
-
Why not A? CloudTrail logs can go to CloudWatch Logs with retention, but CloudWatch Logs retention policies can delete logs and do not enforce tamper-proof immutability. Plus, CloudTrail records are focused on API calls at the AWS account level—not specifically S3 access failure IP addresses.
-
Why not B? While CloudTrail logs stored in S3 can be enabled with log file integrity validation to detect tampering, this does not prevent deletion or overwrites — only detects them after the fact. To enforce immutability, Object Lock must be enabled.
-
Why not C? S3 server access logs cannot be sent directly to CloudWatch Logs. Also, CloudWatch Logs retention does not provide immutable storage; logs can be deleted by users with permissions. The requirement explicitly mandates non-overwrite and non-deletion.
The Technical Blueprint #
# Enable S3 server access logging on source bucket
aws s3api put-bucket-logging \
--bucket source-data-bucket \
--bucket-logging-status '{
"LoggingEnabled": {
"TargetBucket": "logging-bucket",
"TargetPrefix": "access-logs/"
}
}'
# Enable Object Lock on the logging bucket (must be enabled at bucket creation)
aws s3api create-bucket --bucket logging-bucket --object-lock-enabled-for-bucket
# Apply a Bucket default retention configuration of 90 days in Compliance mode
aws s3api put-object-lock-configuration --bucket logging-bucket --object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "COMPLIANCE",
"Days": 90
}
}
}'
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Immutable Storage | Commentary |
|---|---|---|---|---|
| A | Low | Medium | No | CloudWatch retention deletable |
| B | Medium | Medium | No | Log integrity check, but deletable logs |
| C | Medium | Low | No | S3 logs -> CloudWatch not supported, no immutability |
| D | Medium | High | Yes | S3 logs + Object Lock enables compliance-grade immutability |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always pick S3 server access logging + Object Lock when immutability of access logs is required.”
Real World #
“In some organizations, CloudTrail logs on S3 enabled with object lock and a combination of AWS Config can be used, but for direct IP-level access request logs with enforced retention immutability, the described approach is best practice.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.