AWS Certified DevOps Engineer – Professional — Question 183
A company publishes application logs to an Amazon CloudWatch Logs log group in the us-east-1 Region. The company needs to export the logs from us-east-1 to the us-west-2 Region on a weekly basis. The logs must be encrypted in both Regions.
Which solution will meet these requirements?
Answer options
- A. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) for the S3 bucket. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2.
- B. Create an Amazon S3 bucket in us-west-2. Configure server-side encryption with AWS KMS keys (SSE-KMS) for the S3 bucket. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-west-2.
- C. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and turn on versioning for both S3 buckets. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2.
- D. Create an Amazon S3 bucket in us-east-1. Create an S3 bucket in us-west-2. Configure server-side encryption with AWS KMS keys (SSE-KMS) and turn on versioning for both S3 buckets. Create and schedule an AWS Lambda function to run weekly to export the CloudWatch logs from the last week to the S3 bucket in us-east-1. Configure a replication rule on the S3 bucket in us-east-1 to replicate the logs to the S3 bucket in us-west-2.
Correct answer: D
Explanation
Option D is correct because it uses AWS KMS for encryption, which is more secure than SSE-S3, fulfilling the encryption requirement in both regions. The other options either do not use KMS for encryption or do not correctly account for transferring logs to the us-west-2 Region with the necessary encryption and setup.