AWS Certified Solutions Architect – Associate (SAA-C02) — Question 431

A company's security team requests that network traffic be captured in VPC Flow Logs. The logs will be frequently accessed for 90 days and then accessed intermittently.
What should a solutions architect do to meet these requirements when configuring the logs?

Answer options

• A. Use Amazon CloudWatch as the target. Set the CloudWatch log group with an expiration of 90 days.
• B. Use Amazon Kinesis as the target. Configure the Kinesis stream to always retain the logs for 90 days.
• C. Use AWS CloudTrail as the target. Configure CloudTrail to save to an Amazon S3 bucket, and enable S3 Intelligent-Tiering.
• D. Use Amazon S3 as the target. Enable an S3 Lifecycle policy to transition the logs to S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days.

Correct answer: A

Explanation

Configuring Amazon CloudWatch as the destination for VPC Flow Logs enables efficient real-time monitoring and querying during the initial 90 days of high-frequency access. Setting the log group's retention period to 90 days automatically manages storage costs by deleting the logs once the frequent access phase is complete. Other options, such as using AWS CloudTrail as a target, are not supported configurations for VPC Flow Logs.