AWS Certified Solutions Architect – Associate (SAA-C02) — Question 102

A company has enabled AWS CloudTrail logs to deliver log files to an Amazon S3 bucket for each of its developer accounts. The company has created a central
AWS account for streamlining management and audit reviews. An internal auditor needs to access the CloudTrail logs, yet access needs to be restricted for all developer account users. The solution must be secure and optimized.
How should a solutions architect meet these requirements?

Answer options

• A. Configure an AWS Lambda function in each developer account to copy the log files to the central account. Create an IAM role in the central account for the auditor. Attach an IAM policy providing read-only permissions to the bucket.
• B. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central account. Create an IAM user in the central account for the auditor. Attach an IAM policy providing full permissions to the bucket.
• C. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central account. Create an IAM role in the central account for the auditor. Attach an IAM policy providing read-only permissions to the bucket.
• D. Configure an AWS Lambda function in the central account to copy the log files from the S3 bucket in each developer account. Create an IAM user in the central account for the auditor. Attach an IAM policy providing full permissions to the bucket.

Correct answer: C

Explanation

The correct answer is C because it allows CloudTrail logs to be centralized in the central account while ensuring that the auditor has secure, read-only access through an IAM role. Option A incorrectly suggests using Lambda functions in each developer account, which adds unnecessary complexity. Option B grants full permissions, which violates the requirement for restricted access, and option D employs Lambda inappropriately, also granting full permissions to the auditor.