AWS Certified Database – Specialty — Question 285

A marketing company is using Amazon DocumentDB and requires that database audit logs be enabled. A Database Specialist needs to configure monitoring so that all data definition language (DDL) statements performed are visible to the Administrator. The Database Specialist has set the audit_logs parameter to enabled in the cluster parameter group.
What should the Database Specialist do to automatically collect the database logs for the Administrator?

Answer options

• A. Enable DocumentDB to export the logs to Amazon CloudWatch Logs
• B. Enable DocumentDB to export the logs to AWS CloudTrail
• C. Enable DocumentDB Events to export the logs to Amazon CloudWatch Logs
• D. Configure an AWS Lambda function to download the logs using the download-db-log-file-portion operation and store the logs in Amazon S3

Correct answer: A

Explanation

Enabling the log export to Amazon CloudWatch Logs directly from the Amazon DocumentDB cluster allows the audit logs to be automatically and continuously streamed, satisfying the requirement with minimal overhead. AWS CloudTrail does not capture database-level DDL audit logs, and DocumentDB Events track management events rather than database engine activities. Using an AWS Lambda function with the download-db-log-file-portion API introduces unnecessary operational complexity compared to the native CloudWatch Logs export feature.