AWS Certified Security – Specialty — Question 105

A company's Information Security team wants to analyze Amazon EC2 performance and utilization data in near-real time for anomalies. A Security Engineer is responsible for log aggregation. The Engineer must collect logs from all of the company's AWS accounts in a centralized location to perform the analysis.
How should the Security Engineer do this?

Answer options

• A. Log in to each account four times a day and filter the AWS CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.
• B. Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.
• C. Set up an AWS Config aggregator to collect AWS configuration data from multiple sources.
• D. Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Correct answer: D

Explanation

The correct answer is D because it allows for efficient and automated collection of log data from multiple accounts into a centralized location using Amazon CloudWatch and Kinesis Data Firehose. Option A is impractical due to the manual effort required, option B does not provide real-time anomaly detection capabilities, and option C is focused on configuration data rather than performance logs.