A security engineer is configuring AWS CloudTrail to log management events for all AWS regions. The engineer needs to ensure that log files are encrypted at rest and that access to the log files is logged. Which solution meets these requirements?
CloudTrail supports SSE-KMS for encryption at rest, and S3 server access logs capture requests to the bucket.
Why this answer
Option C is correct because CloudTrail can be configured to use SSE-KMS for encryption, and S3 server access logs can log access to the log files. Option A is wrong because SSE-S3 does not provide access logging. Option B is wrong because SSE-C is not supported by CloudTrail.
Option D is wrong because CloudWatch Logs does not encrypt log files at rest by default.