1. A company uses AWS CloudTrail across all regions with a multi-region trail that delivers logs to a centralized S3 bucket. A security analyst discovers that CloudTrail logs for several recent API calls are missing. What are the TWO MOST likely causes? (Select TWO)
- A. The S3 bucket's Block Public Access settings were enabled, preventing CloudTrail from writing logs.
- B. The S3 bucket policy was modified and no longer grants CloudTrail the s3:PutObject permission for the log prefix.✓ Correct
- C. The multi-region trail was stopped or deleted in the management account.✓ Correct
- D. CloudTrail does not support logging API calls made using temporary IAM role credentials.
- E. The logs were written to a different S3 bucket because CloudTrail automatically rotates log destinations monthly.
- F. AWS KMS key rotation was enabled on the bucket's SSE-KMS key, invalidating previously generated data keys.
Explanation
Option B is a common real-world issue: if the bucket policy is updated to remove CloudTrail's write permission, CloudTrail silently fails to deliver logs (it will display delivery errors in the console). Option C (trail stopped or deleted) is the most direct cause — no trail means no log delivery. Option A is incorrect — Block Public Access prevents public ACLs and policies but does not block CloudTrail's service-principal writes, which use a bucket policy grant. Option D is incorrect — CloudTrail logs all API calls regardless of credential type, including temporary credentials. Option E is incorrect — CloudTrail does not automatically change log destinations; the trail configuration is static until manually changed. Option F is incorrect — KMS key rotation replaces the key material for future encryption but does not invalidate existing encrypted objects or prevent new writes; CloudTrail would continue writing logs.