Exam AWS Certified Security - Specialty topic 1 question 175 discussion

Read the prerequisites in the question carefully. The solution must support "near real time" analysis of the log data. Cloudwatch doesn't stream logs to S3; it supports exporting them to S3 with an up to 12 hour expected delay: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html "Log data can take up to 12 hours to become available for export. For near real-time analysis of log data, see Analyzing log data with CloudWatch Logs Insights or Real-time processing of log data with subscriptions instead." https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html "You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an Amazon Kinesis stream, an Amazon Kinesis Data Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems. When log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip format." Answer: D

CW Logs >>Subscription Filter>>> [Central account Subscription destination] >>[Kinesis Data Firehose in Central account] >>near real-time batch puts>>> [Central account S3 bucket] D is the textbook method of moving CW Logs logs to a centralize S3 bucket in near real-time way using CW Logs Subscription filter and KDF

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

D is the only realistic answer because we need to centralized our logging capabilities across all accounts. Amazon Kinesis stream gives us the ability to stream and analyze the logs in real-time. More importantly the first options required very heavy lifting to achieve the objective. In addition, AWS config does not stream nor process logs for abnormal activity.

Why D ? You can collaborate with an owner of a different AWS account and receive their log events on your AWS resources, such as an Amazon Kinesis or Amazon Kinesis Data Firehose stream (this is known as cross-account data sharing). For example, this log event data can be read from a centralized Kinesis or Kinesis Data Firehose stream to perform custom processing and analysis. Custom processing is especially useful when you collaborate and analyze data across many accounts. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html D

D is the best answer. 'near real-time' + logs = firehose

A. CloudTrail is not for performance and not 'near-real-time' B. S3, object storage, not for near-real-time C. AWS config is not for performance, is it 'near-real-time"? D. Firehose si for near-real-time analysis

two pointers here are cloud watch and real time is kinesis #D

Tough one... feels like it could be either B or D. Personally I might go with B, because although D seems valid, someone linked a blog post that walks through how to do it with B, and I feel like the question creators try to get questions that are answered in aws blogs

D is the obvious answer

D is the correct answer

Amazon Kinesis Data Stream Enables you to build custom, real-time applications that process data streams using popular stream processing frameworks. Amazon Kinesis Data Firehose Amazon Kinesis Data Firehose is the easiest way to capture, transform, and load data streams into AWS data stores for near real-time analytics with existing business intelligence tools. D is the answer

D is the only valid option. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

D for sure, but it's more sysops question than security

D is correct answer

I guess D seems more appropriate as AWS Kinesis data firehose service stream captures a near real-time as data output. https://aws.amazon.com/kinesis/data-firehose/?kinesis-blogs.sort-by=item.additionalFields.createdDate&kinesis-blogs.sort-order=desc

Its B from what I can tell.