AWS Certified Data Analytics – Specialty — Question 92

A company has an encrypted Amazon Redshift cluster. The company recently enabled Amazon Redshift audit logs and needs to ensure that the audit logs are also encrypted at rest. The logs are retained for 1 year. The auditor queries the logs once a month.
What is the MOST cost-effective way to meet these requirements?

Answer options

• A. Encrypt the Amazon S3 bucket where the logs are stored by using AWS Key Management Service (AWS KMS). Copy the data into the Amazon Redshift cluster from Amazon S3 on a daily basis. Query the data as required.
• B. Disable encryption on the Amazon Redshift cluster, configure audit logging, and encrypt the Amazon Redshift cluster. Use Amazon Redshift Spectrum to query the data as required.
• C. Enable default encryption on the Amazon S3 bucket where the logs are stored by using AES-256 encryption. Copy the data into the Amazon Redshift cluster from Amazon S3 on a daily basis. Query the data as required.
• D. Enable default encryption on the Amazon S3 bucket where the logs are stored by using AES-256 encryption. Use Amazon Redshift Spectrum to query the data as required.

Correct answer: D

Explanation

Option D is correct because it ensures that the logs stored in S3 are encrypted using AES-256 and allows querying through Amazon Redshift Spectrum, which is cost-effective since it avoids unnecessary data transfers. Option A incurs costs from data transfers to Redshift, while Option B incorrectly suggests disabling encryption on the Redshift cluster. Option C, while encrypting logs, requires the additional cost of moving data to Redshift daily, making it less cost-effective than option D.