AWS Certified Security – Specialty — Question 357

A company recently began using Amazon Route 53 as its DNS provider. The company must log public DNS queries that Route 53 receives. The company has activated Route 53 public DNS query logging. The queries must be stored in a highly durable storage solution that deletes logs that are older than 1 year.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Configure Route 53 to export log data to Amazon S3. Configure an S3 Lifecycle policy that deletes objects in the target S3 bucket that are older than 1 year.
• B. Configure Route 53 to export log data to Amazon S3. Configure an AWS Lambda function to run every hour to delete log files that are older than 1 year.
• C. Configure Route 53 to export log data to Amazon CloudWatch Logs. For the target CloudWatch Logs log group, set the retention period to 1 year.
• D. Configure Route 53 to export log data to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to identify and delete log entries that are older than 1 year.

Correct answer: A

Explanation

Amazon S3 provides highly durable and extremely cost-effective storage compared to Amazon CloudWatch Logs, making it the ideal choice for long-term archiving. Utilizing an S3 Lifecycle policy to delete objects older than 1 year is a native, automated, and zero-cost mechanism, unlike custom AWS Lambda functions which incur extra execution costs. CloudWatch Logs solutions are more expensive overall, and CloudWatch Logs Insights does not support deleting individual log entries.