AWS Certified Security – Specialty — Question 489

A company is migrating its legacy workloads to AWS. The current security information events management (SIEM) system that analyzes logs is aging, and different SIEM systems are being evaluated to replace it. The company wants to change SIEMs without re-architecture the solution.
What should the Security Engineer do to accomplish this with minimal operational impact?

Answer options

• A. Prepare an AMI with the SIEM log forwarder agent for each workload, and configure it to send logs to a centralized SIEM located in the Security team AWS account. Configure an Amazon EC2 instance base AMI to forward logs to its local log forwarder agent. Deploy an AMI in each workload.
• B. Configure an Amazon EC2 base AMI with an Amazon Kinesis Agent, and configure it to send to Amazon Kinesis Data Streams in the Security team AWS account. Add an AWS Lambda function at Kinesis Data Streams to push streamed logs to the SIEM.
• C. Configure an Amazon EC2 base AMI to send logs to a local AWS CloudTrail log file. Configure CloudTrail to send logs to Amazon CloudWatch. Set up a central SIEM in the Security team AWS account and configure a puller to get information on CloudWatch.
• D. Select a pay-per-use SIEM in the AWS Marketplace. Deploy the AMI in each workload to provide elasticity when required. Use Amazon Athena to send real- time alerts.

Correct answer: B

Explanation

Using Amazon Kinesis Data Streams as an ingestion buffer decoupled from the SIEM allows the company to route logs to any target SIEM by simply modifying the AWS Lambda consumer function, ensuring no re-architecture is needed if the SIEM changes. Option A binds the workloads directly to a specific SIEM agent, which would require re-architecting and redeploying AMIs if the SIEM changes. Option C is incorrect because AWS CloudTrail is designed to capture AWS API calls, not local operating system and application logs from Amazon EC2 instances.