AWS Certified Database – Specialty — Question 297

An ecommerce company uses Amazon DynamoDB as the backend for its payments system. A new regulation requires the company to log all data access requests for financial audits. For this purpose, the company plans to use AWS logging and save logs to Amazon S3
How can a database specialist activate logging on the database?

Answer options

• A. Use AWS CloudTrail to monitor DynamoDB control-plane operations. Create a DynamoDB stream to monitor data-plane operations. Pass the stream to Amazon Kinesis Data Streams. Use that stream as a source for Amazon Kinesis Data Firehose to store the data in an Amazon S3 bucket.
• B. Use AWS CloudTrail to monitor DynamoDB data-plane operations. Create a DynamoDB stream to monitor control-plane operations. Pass the stream to Amazon Kinesis Data Streams. Use that stream as a source for Amazon Kinesis Data Firehose to store the data in an Amazon S3 bucket.
• C. Create two trails in AWS CloudTrail. Use Trail1 to monitor DynamoDB control-plane operations. Use Trail2 to monitor DynamoDB data-plane operations.
• D. Use AWS CloudTrail to monitor DynamoDB data-plane and control-plane operations.

Correct answer: D

Explanation

AWS CloudTrail natively supports logging both control-plane (management) and data-plane (data events like GetItem or PutItem) operations for Amazon DynamoDB directly to an Amazon S3 bucket. Option D is the most straightforward and efficient solution because it avoids the unnecessary architectural complexity of using DynamoDB Streams, Amazon Kinesis Data Streams, or multiple CloudTrail trails as suggested in the other options.