AWS Certified SysOps Administrator – Associate — Question 428

A company uses an Amazon CloudFront distribution to deliver its website. Traffic logs for the website must be centrally stored, and all data must be encrypted at rest.
Which solution will meet these requirements?

Answer options

• A. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with internet access and server-side encryption that uses the default AWS managed customer master key (CMK). Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
• B. Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256. Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
• C. Create an Amazon S3 bucket that is configured with default server-side encryption that uses AES-256. Configure CloudFront to use the S3 bucket as a log destination.
• D. Create an Amazon S3 bucket that is configured with no default encryption. Enable encryption in the CloudFront distribution, and use the S3 bucket as a log destination.

Correct answer: C

Explanation

Amazon CloudFront standard access logs can be natively delivered directly to an Amazon S3 bucket, which supports default server-side encryption (SSE-S3 using AES-256) to secure the data at rest. CloudFront does not natively support direct log delivery to Amazon OpenSearch Service domains, making options A and B incorrect. Option D is incorrect because encryption must be configured on the destination S3 bucket itself, as CloudFront does not have a setting to encrypt logs before writing them to an unencrypted bucket.