AWS Certified Database – Specialty — Question 272

A web-based application uses Amazon DocumentDB (with MongoDB compatibility) as its underlying data store. Sufficient access control is in place, but a database specialist wants to be able to review logs if the primary DocumentDB database is deleted.

Which combination of steps should the database specialist take to meet this requirement? (Choose two.)

Answer options

• A. Set the audit_logs cluster parameter to enabled.
• B. Enable DocumentDB log export to Amazon CloudWatch Logs.
• C. Enable Enhanced Monitoring for DocumentDB.
• D. Enable AWS CloudTrail for DocumentDB.
• E. Use AWS Config to monitor the state of DocumentDB.

Correct answer: A, B

Explanation

To audit events in Amazon DocumentDB, you must first enable the audit_logs parameter in the cluster's parameter group. Exporting these logs to Amazon CloudWatch Logs ensures they are preserved and searchable even if the source DocumentDB cluster is deleted. Other options like Enhanced Monitoring, CloudTrail, or AWS Config do not capture or retain internal database engine audit logs.