A team wants detective controls to investigate suspected exfiltration from an S3 bucket. They need to know when objects are accessed (GetObject) and also when new encrypted objects are written.
They already enabled AWS CloudTrail for management events, but their investigation shows no visibility into object-level reads/writes in the logs they review.
Which CloudTrail configuration change most directly provides the missing object-level visibility?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Enable CloudTrail data events for the specific S3 bucket so that GetObject and PutObject operations are logged at the object level.
CloudTrail management events cover control-plane activity, not per-object access details in S3. Enabling S3 data events (object-level logging) causes CloudTrail to record events like GetObject and PutObject for the targeted bucket and prefixes. This directly addresses the missing visibility symptom described. It also limits logging scope when you specify the bucket/prefix.
Enable AWS Config delivery to a separate bucket and create a rule to detect noncompliant S3 policies; this will automatically generate GetObject logs.
AWS Config evaluates resource configuration and policy compliance, but it does not provide object-level access logs like GetObject and PutObject. The requirement is detective visibility into access and writes, not configuration drift detection. This approach would not fill the logging gap for exfiltration investigations.
Turn on VPC Flow Logs for the VPC hosting the S3 gateway endpoint, because network logs show S3 object read and write details.
VPC Flow Logs capture network traffic metadata (e.g., src/dst IPs and ports) but not S3 API actions at the object level. They cannot directly answer which objects were read from or written to within the bucket. The symptom is missing CloudTrail visibility into object-level operations, not network reachability.
Add an S3 bucket policy that denies all GetObject requests unless the caller uses TLS; the denial events will create investigation logs automatically.
A bucket policy denial will generate some logs, but it does not provide comprehensive object access visibility for legitimate reads and writes. Additionally, enforcement does not equal detective coverage; you may still miss successful access events. The question asks for configuration to provide missing object-level logs.
Common exam trap
Many certification questions include familiar terms but test a specific constraint. Read the exact wording before choosing an answer that is generally true but wrong for this case.
Technical deep dive
This question should be treated as a scenario, not a definition check. Identify the problem, the constraint and the best action. Then compare each option against those facts.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Read the scenario before looking for a memorised answer.
The correct answer is: Enable CloudTrail data events for the specific S3 bucket so that GetObject and PutObject operations are logged at the object level. — The symptom (CloudTrail management events enabled but no GetObject/PutObject visibility) indicates the team is missing CloudTrail data events for S3. Management events log actions like CreateBucket and PutBucketPolicy, while object-level reads/writes require S3 data events, which record per-request object operations such as GetObject and PutObject. Enabling CloudTrail data events for the specific bucket (and optionally prefixes) provides the detailed access history needed for exfiltration investigations and for confirming when encrypted objects were written. Why others are wrong: Option B is incorrect because AWS Config detects configuration compliance and policy changes, not per-object data access. Option C is incorrect because VPC Flow Logs are network-level and do not reveal S3 object keys or API actions. Option D is incorrect because bucket policy enforcement may block some access and can generate limited denial signals, but it does not substitute for comprehensive object-level logging of successful reads and writes.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.