The correct answer is A. Enable CloudTrail log file integrity validation.
AWS CloudTrail provides the ability to record API calls made to AWS services and delivers log files to an Amazon S3 bucket. For organizations that need to ensure the authenticity and integrity of these log files, AWS recommends enabling log file integrity validation. This feature applies a hash function to each log file and stores the hash separately, allowing you to verify that the logs have not been altered, deleted, or tampered with after delivery.
Enabling log file integrity validation is critical in ML operations when auditing model training pipelines, production inference calls, or system access patterns across accounts. It ensures that security-sensitive API activity is accurately recorded and verifiable. In multi-account environments managed by AWS Organizations, this validation provides an extra layer of trust when logs are consolidated from multiple accounts.
Option B, creating a multi-Region trail, ensures that API activity across regions is logged but does not inherently guarantee the integrity of logs. Option C, creating an organization trail, centralizes logging for all accounts, which is valuable for governance, but again does not automatically provide verification of log integrity. Option D, enabling CloudWatch Logs delivery, allows real-time monitoring and alerting but does not address the verification of historical log files.
By enabling log file integrity validation, organizations can cryptographically verify each log file, detect unauthorized changes, and meet compliance requirements for secure ML monitoring and auditing. This aligns with AWS best practices for ML solution monitoring, maintenance, and security, ensuring reliable tracking of model operations and API usage across distributed ML systems.
