AWS Certified Solutions Architect – Associate (SAA-C02) — Question 779

A company has three AWS accounts: Management, Development, and Production. These accounts use AWS services only in the us-east-1 Region. All accounts have a VPC with VPC Flow Logs configured to publish data to an Amazon S3 bucket in each separate account. For compliance reasons, the company needs an ongoing method to aggregate all the VPC flow logs across all accounts into one destination S3 bucket in the Management account.
What should a solutions architect do to meet these requirements with the LEAST operational overhead?

Answer options

• A. Add S3 Same-Region Replication rules in each S3 bucket that stores VPC flow logs to replicate objects to the destination S3 bucket. Configure the destination S3 bucket to allow objects to be received from the S3 buckets in other accounts.
• B. Set up an IAM user in the Management account. Grant permissions to the IAM user to access the S3 buckets that contain the VPC flow logs. Run the aws s3 sync command in the AWS CLI to copy the objects to the destination S3 bucket.
• C. Use an S3 inventory report to specify which objects in the S3 buckets to copy. Perform an S3 batch operation to copy the objects into the destination S3 bucket in the Management account with a single request.
• D. Create an AWS Lambda function in the Management account. Grant S3 GET permissions on the source S3 buckets. Grant S3 PUT permissions on the destination S3 bucket. Configure the function to invoke when objects are loaded in the source S3 buckets.

Correct answer: A

Explanation

S3 Same-Region Replication (SRR) provides a fully managed, native mechanism to automatically and continuously replicate objects across S3 buckets in different AWS accounts within the same region, requiring minimal setup and zero maintenance. Options B, C, and D are incorrect because they rely on custom scripting, manual batch operations, or writing and maintaining AWS Lambda code, all of which introduce significantly more operational overhead.