A company is using Amazon S3 to store sensitive documents. The security team requires that all access to the bucket be logged for audit purposes. Which feature should be enabled?
Server access logs record detailed information about requests.
Why this answer
S3 server access logging provides detailed records for requests made to an S3 bucket, including the requester, bucket name, request time, action, and response status. This feature logs all access at the object level, which directly meets the audit requirement for sensitive documents. It delivers log files to a target bucket in a standardized format, enabling security teams to analyze access patterns and detect unauthorized activity.
Exam trap
The trap here is that candidates often confuse AWS CloudTrail (Option D) with S3 server access logging, assuming CloudTrail's data events provide the same granularity, but CloudTrail is designed for API call auditing and may miss certain access patterns (e.g., anonymous requests or cross-account access) unless explicitly configured, whereas S3 server access logging captures all requests by default.
How to eliminate wrong answers
Option B is wrong because Amazon CloudWatch Logs is a service for monitoring, storing, and accessing log files from AWS resources like EC2 or Lambda, but it does not natively capture S3 access logs without additional configuration (e.g., using S3 event notifications to push logs to CloudWatch). Option C is wrong because S3 Inventory provides a list of objects and their metadata (e.g., size, encryption status) for compliance and lifecycle management, but it does not log access requests or actions performed on the bucket. Option D is wrong because AWS CloudTrail records management events (e.g., bucket creation, policy changes) and data events (e.g., GetObject, PutObject) for S3, but it is not the primary feature for detailed, request-level logging; S3 server access logging is the dedicated feature for granular access logs, while CloudTrail is often used for governance and compliance at a higher level.