AWS Certified Solutions Architect – Professional — Question 806

A company uses multiple AWS accounts in a single AWS Region. A solutions architect is designing a solution to consolidate logs generated by Elastic Load
Balancers (ELBs) in the AppDev, AppTest, and AppProd accounts. The logs should be stored in an existing Amazon S3 bucket named s3-elb-logs in the central
AWS account. The central account is used for log consolidation only and does not have ELBs deployed. ELB logs must be encrypted at rest.
Which combination of steps should the solutions architect take to build the solution? (Choose two.)

Answer options

• A. Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutBucketLogging action for the central AWS account ID.
• B. Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject and s3:DeleteObject actions for the AppDev, AppTest, and AppProd account IDs.
• C. Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject action for the AppDev, AppTest, and AppProd account IDs.
• D. Enable access logging for the ELBs. Set the S3 location to the s3-elb-logs bucket.
• E. Enable Amazon S3 default encryption using server-side encryption with S3 managed encryption keys (SSE-S3) for the s3-elb-logs S3 bucket.

Correct answer: C

Explanation

To allow Elastic Load Balancers in the AppDev, AppTest, and AppProd accounts to write their logs to the central S3 bucket, the bucket policy must grant the s3:PutObject permission to those accounts. Granting s3:DeleteObject is unnecessary and violates the principle of least privilege, making Option C correct over Option B. Additionally, to meet the encryption requirement, enabling SSE-S3 is required because ELB access logs do not support SSE-KMS encryption.