AWS Certified Security – Specialty — Question 139

A company has hundreds of AWS accounts, and a centralized Amazon S3 bucket used to collect AWS CloudTrail logs for all of these accounts. A Security
Engineer wants to create a solution that will enable the company to run ad hoc queries against its CloudTrail logs dating back 3 years from when the trails were first enabled in the company's AWS account.
How should the company accomplish this with the least amount of administrative overhead?

Answer options

• A. Run an Amazon EMR cluster that uses a MapReduce job to examine the CloudTrail trails.
• B. Use the events history feature of the CloudTrail console to query the CloudTrail trails.
• C. Write an AWS Lambda function to query the CloudTrail trails. Configure the Lambda function to be executed whenever a new file is created in the CloudTrail S3 bucket.
• D. Create an Amazon Athena table that looks at the S3 bucket the CloudTrail trails are being written to. Use Athena to run queries against the trails.

Correct answer: D

Explanation

The correct answer is D because creating an Amazon Athena table allows for efficient querying of the CloudTrail logs directly from the S3 bucket without the need for additional infrastructure. Options A and C involve more complexity and administrative overhead, while option B does not support querying logs from the past three years effectively.