Question

an application is hosted in an on-demand ec2 instance and is using amazon sdk to communicate to other aws services such as s3, dynamodb, and many others. as part of the upcoming it audit, you need to ensure that all api calls to your aws resources are logged and durably stored. which is the most suitable service that you should use to meet this requirement?

Answer 1

To log and durably store all API calls to AWS resources, use AWS CloudTrail, integrated with Amazon S3 for storage, and potentially Amazon Glacier for archiving.

Step-by-step explanation:

To ensure that all API calls to your AWS resources are logged and durably stored, you should use AWS CloudTrail.

This service monitors and records account activity across your AWS infrastructure, providing you with detailed API call histories. CloudTrail logs can help you with security analysis, resource change tracking, and compliance auditing.

Moreover, to achieve durable storage of these logs, consider integrating AWS CloudTrail with Amazon S3 for long-term storage, and optionally with Amazon Glacier for archival purposes.

It is also a good practice to enable log file validation in CloudTrail to ensure the integrity of your logs and set up CloudWatch Logs for real-time monitoring of specific API activity.

By doing so, you'll be well-prepared for the IT audit, with a robust system for oversight and accountability in place regarding your AWS resource access and usage.