AWS Certified Developer – Associate (DVA-C02) — Question 347

A developer is publishing critical log data to a log group in Amazon CloudWatch Logs. The log group was created 2 months ago. The developer must encrypt the log data by using an AWS Key Management Service (AWS KMS) key so that future data can be encrypted to comply with the company's security policy.

Which solution will meet this requirement with the LEAST effort?

Answer options

• A. Use the AWS Encryption SDK for encryption and decryption of the data before writing to the log group.
• B. Use the AWS KMS console to associate the KMS key with the log group.
• C. Use the AWS CLI aws logs create-log-group command, and specify the key Amazon Resource Name (ARN).
• D. Use the AWS CLI aws logs associate-kms-key command, and specify the key Amazon Resource Name (ARN).

Correct answer: D

Explanation

The aws logs associate-kms-key CLI command is the most efficient way to link an AWS KMS key to an already existing CloudWatch Logs log group. Using aws logs create-log-group is incorrect because the log group already exists, and the AWS KMS console does not support direct association with CloudWatch log groups. Implementing the AWS Encryption SDK is unnecessary and introduces significant development overhead compared to enabling native service-side encryption.