AWS Certified Solutions Architect – Professional — Question 834
A company has multiple AWS accounts hosting IT applications. An Amazon CloudWatch Logs agent is installed on all Amazon EC2 instances. The company wants to aggregate all security events in a centralized AWS account dedicated to log storage.
Security Administrators need to perform near-real-time gathering and correlating of events across multiple AWS accounts.
Which solution satisfies these requirements?
Answer options
- A. Create a Log Audit IAM role in each application AWS account with permissions to view CloudWatch Logs, configure an AWS Lambda function to assume the Log Audit role, and perform an hourly export of CloudWatch Logs data to an Amazon S3 bucket in the logging AWS account.
- B. Configure CloudWatch Logs streams in each application AWS account to forward events to CloudWatch Logs in the logging AWS account. In the logging AWS account, subscribe an Amazon Kinesis Data Firehose stream to Amazon CloudWatch Events, and use the stream to persist log data in Amazon S3.
- C. Create Amazon Kinesis Data Streams in the logging account, subscribe the stream to CloudWatch Logs streams in each application AWS account, configure an Amazon Kinesis Data Firehose delivery stream with the Data Streams as its source, and persist the log data in an Amazon S3 bucket inside the logging AWS account.
- D. Configure CloudWatch Logs agents to publish data to an Amazon Kinesis Data Firehose stream in the logging AWS account, use an AWS Lambda function to read messages from the stream and push messages to Data Firehose, and persist the data in Amazon S3.
Correct answer: C
Explanation
Option C is correct because using CloudWatch Logs subscription filters to stream logs to a centralized Amazon Kinesis Data Stream in another account, and then using Amazon Kinesis Data Firehose to write to Amazon S3, is the standard AWS-recommended pattern for real-time cross-account log aggregation. Option A is wrong because hourly exports to S3 do not meet the near-real-time requirement. Options B and D are incorrect because CloudWatch Logs cannot stream cross-account directly to another CloudWatch Logs group or directly to Kinesis Data Firehose without utilizing Kinesis Data Streams as the destination.