AWS Certified Solutions Architect – Professional — Question 864

A bank is designing an online customer service portal where customers can chat with customer service agents. The portal is required to maintain a 15-minute
RPO or RTO in case of a regional disaster. Banking regulations require that all customer service chat transcripts must be preserved on durable storage for at least
7 years, chat conversations must be encrypted in-flight, and transcripts must be encrypted at rest. The Data Loss Prevention team requires that data at rest must be encrypted using a key that the team controls, rotates, and revokes.
Which design meets these requirements?

Answer options

• A. The chat application logs each chat message into Amazon CloudWatch Logs. A scheduled AWS Lambda function invokes a CloudWatch Logs CreateExportTask every 5 minutes to export chat transcripts to Amazon S3. The S3 bucket is configured for cross-region replication to the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the S3 bucket.
• B. The chat application logs each chat message into two different Amazon CloudWatch Logs groups in two different regions, with the same AWS KMS key applied. Both CloudWatch Logs groups are configured to export logs into an Amazon Glacier vault with a 7-year vault lock policy with a KMS key specified.
• C. The chat application logs each chat message into Amazon CloudWatch Logs. A subscription filter on the CloudWatch Logs group feeds into an Amazon Kinesis Data Firehose which streams the chat messages into an Amazon S3 bucket in the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the Kinesis Data Firehose.
• D. The chat application logs each chat message into Amazon CloudWatch Logs. The CloudWatch Logs group is configured to export logs into an Amazon Glacier vault with a 7-year vault lock policy. Glacier cross-region replication mirrors chat archives to the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the Amazon Glacier vault.

Correct answer: C

Explanation

Option C is correct because utilizing a CloudWatch Logs subscription filter coupled with Amazon Kinesis Data Firehose enables near-real-time streaming of logs to an S3 bucket in a secondary region, easily satisfying the 15-minute RPO/RTO constraint. Option A is incorrect because CloudWatch Logs CreateExportTask can take up to several hours to export data and does not support near-real-time replication. Options B and D are incorrect because CloudWatch Logs cannot export directly to Amazon S3 Glacier, and Glacier does not support direct cross-region replication in the manner described.