AWS Certified Solutions Architect – Professional (SAP-C02) — Question 509

A company has multiple AWS accounts that are in an organization in AWS Organizations. The company needs to store AWS account activity and query the data from a central location by using SQL.

Which solution will meet these requirements?

Answer options

• A. Create an AWS CloudTraii trail in each account. Specify CloudTrail management events for the trail. Configure CloudTrail to send the events to Amazon CloudWatch Logs. Configure CloudWatch cross-account observability. Query the data in CloudWatch Logs Insights.
• B. Use a delegated administrator account to create an AWS CloudTrail Lake data store. Specify CloudTrail management events for the data store. Enable the data store for all accounts in the organization. Query the data in CloudTrail Lake.
• C. Use a delegated administrator account to create an AWS CloudTral trail. Specify CloudTrail management events for the trail. Enable the trail for all accounts in the organization. Keep all other settings as default. Query the CloudTrail data from the CloudTrail event history page.
• D. Use AWS CloudFormation StackSets to deploy AWS CloudTrail Lake data stores in each account. Specify CloudTrail management events for the data stores. Keep all other settings as default, Query the data in CloudTrail Lake.

Correct answer: B

Explanation

AWS CloudTrail Lake is a managed service that allows users to aggregate, store, and query activity logs using standard SQL. By using a delegated administrator account to create an organization-wide event data store, the company can centralize logs from all accounts and query them in one place. Other options like CloudWatch Logs Insights do not use standard SQL, and utilizing individual trails or StackSets does not provide the required centralized SQL querying capability.