AWS Certified Solutions Architect – Professional (SAP-C02) — Question 326

A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing.

A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process.

Which combination of steps should the solutions architect take to meet the requirements? (Choose three.)

Answer options

• A. Create a destination Amazon Kinesis data stream in the central logging account.
• B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central logging account.
• C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data stream. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
• D. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Simple Queue Service (Amazon SQS) queue. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.
• E. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.
• F. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.

Correct answer: A, C, E

Explanation

Amazon Kinesis Data Streams is designed for real-time, high-volume streaming data ingestion and can scale to handle fluctuating workloads, making it the correct destination choice over SQS, which is not a native direct target for CloudWatch subscription filters. Configuring subscription filters on each log group with the appropriate cross-account IAM permissions ensures secure, real-time log delivery from member accounts to the central Kinesis stream. Finally, using AWS Lambda in the central logging account allows for centralized, serverless log processing and normalization before streaming to the final security tool, avoiding the administrative overhead of deploying and managing Lambda functions across all member accounts.