Errata for CloudTrail Logs Retention Question (tb235636.AWSCCPSG2E.pe2.04)

[HashTagCharlie]

I've found an issue with the following question:

Question: "You're storing security logs in CloudTrail Logs and need to retain them for at least 15 years. How can you do this? (Choose two.)"

A. Do nothing; CloudTrail Logs stores logs indefinitely.
B. Replicate the logs to another region.
C. Set the log retention to 15 years.
D. Export the logs to an S3 bucket.

Original Answer: "CloudTrail Logs stores logs indefinitely, but you can set a retention policy between 1 day and 10 years. You can also export the logs to an S3 bucket for long-term storage. CloudTrail Logs doesn’t offer the ability to replicate logs to another region."

Errata: The statement that "CloudTrail Logs stores logs indefinitely" is incorrect. By default, AWS CloudTrail keeps logs for 90 days in the AWS Management Console. If you need long-term storage beyond 90 days, logs must be exported to an S3 bucket. There is no built-in option to retain logs for 15 years directly in CloudTrail. To achieve long-term retention, exporting to S3 and setting the necessary lifecycle policies on the bucket is required.

Corrected Answer: To retain CloudTrail logs for at least 15 years:

D. Export the logs to an S3 bucket.
Use a lifecycle policy on the S3 bucket for long-term storage.

[dbclinton]

Hi, Your point is correct. I think the problem with the existing phrasing of answer A is that S3 isn't mentioned explicitly. In fact, CloudTrail logs are exported to S3 by default, where they will remain forever unless you change the settings manually. I'll try to update this for the next edition. Thanks.