A company must comply with a regulation that requires logging all access to sensitive data stored in Amazon S3. Which AWS services can be used to capture and store access logs? (Choose TWO.)
CloudTrail logs S3 API calls.
Why this answer
Options B and D are correct. AWS CloudTrail logs API calls to S3. Amazon S3 server access logs provide detailed records of requests.
Option A is wrong because Amazon CloudWatch Logs can receive logs but doesn't generate S3 access logs directly. Option C is wrong because AWS Config tracks configuration changes, not access. Option E is wrong because VPC Flow Logs capture network traffic, not S3 access.