AWS Certified Security – Specialty — Question 252

A security team is implementing a centralized logging solution to meet requirements for auditing. The solution must be able to aggregate logs from Amazon
CloudWatch and AWS CloudTrail to an account that is controlled by the security team. This approach must be usable across the entire organization in AWS
Organizations.
Which solution meets these requirements in the MOST operationally efficient manner?

Answer options

• A. In each AWS account, create an Amazon Kinesis Data Firehose delivery stream that has a destination of Amazon S3 in the security team's account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis Data Firehose delivery stream in the same account. For the organization, create a CloudTrail trail that has a destination of Amazon S3.
• B. In the security team's account, create an Amazon Kinesis Data Firehose delivery stream that has a destination of Amazon S3 in the same account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis Data Firehose delivery stream in the security team's account. For each AWS account, create a CloudTrail trail that has a destination of Amazon S3.
• C. In each AWS account, create an Amazon Kinesis data stream that has a destination of Amazon S3 in the security team's account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis data stream in the same account. For the organization, create a CloudTrail trail that has a destination of Amazon S3.
• D. In the security team's account, create an Amazon Kinesis data stream that has a destination of Amazon S3 in the same account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis data stream in the security team's account. For each AWS account, create a CloudTrail trail that has a destination of Amazon S3.

Correct answer: B

Explanation

Option B is the most operationally efficient solution because it centralizes the logging in the security team's account while allowing CloudWatch Logs from all other accounts to stream directly to it. This avoids the redundancy of creating separate delivery streams in each account as seen in Option A, and it efficiently manages the CloudTrail trails by allowing them to be created in each account while directing logs to a single destination, thus simplifying management and compliance.