ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 694 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 694
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company uses AWS Organizations to manage one parent account and nine member accounts. The number of member accounts is expected to grow as the business grows. A security engineer has requested consolidation of AWS CloudTrail logs into the parent account for compliance purposes. Existing logs currently stored in Amazon S3 buckets in each individual member account should not be lost. Future member accounts should comply with the logging strategy.
Which operationally efficient solution meets these requirements?

  • A. Create an AWS Lambda function in each member account with a cross-account role. Trigger the Lambda functions when new CloudTrail logs are created and copy the CloudTrail logs to a centralized S3 bucket. Set up an Amazon CloudWatch alarm to alert if CloudTrail is not configured properly.
  • B. Configure CloudTrail in each member account to deliver log events to a central S3 bucket. Ensure the central S3 bucket policy allows PutObject access from the member accounts. Migrate existing logs to the central S3 bucket. Set up an Amazon CloudWatch alarm to alert if CloudTrail is not configured properly.
  • C. Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Migrate the existing CloudTrail logs from each member account to the central S3 bucket. Delete the existing CloudTrail and logs in the member accounts.
  • D. Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Configure CloudTrail in each member account to deliver log events to the central S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by nitinz at March 18, 2021, 4:55 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kalyan_krishna742020
Highly Voted 3 years, 9 months ago
I think answer is C. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
upvoted 15 times
...
ExtHo
Highly Voted 3 years, 8 months ago
C is correct https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html see section Best practices for moving from member account trails to organization trails why delete the existing CloudTrail and logs in the member accounts Thanks to kalyan_krishna742020 providing official AWS link
upvoted 9 times
...
sumaju
Most Recent 1 year, 6 months ago
Selected Answer: C
Org Trail is the option. Now between C and D, when Org Trail is created, it automatically configured for all member accounts. "Configure CloudTrail in each member account to deliver log events to the central S3 bucket" line in the option "D" is incorrect. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-best-practice.html
upvoted 1 times
...
dev112233xx
2 years, 2 months ago
Selected Answer: C
"Best practices for moving from member account trails to organization trails" wait one day then DELETE the account trail https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-best-practice.html
upvoted 1 times
...
Kyperos
2 years, 10 months ago
Selected Answer: C
I think that consolidate Cloudtrail Log will stream logs all member accounts to parent accounts. If choose D, existing logs in member account still retain in S3 bucket member account. If choose C, existing logs in member account are migrated to S3 bucket central account. So C will adhere to consolidate logging approach! --> Answer is C
upvoted 2 times
...
Andykris
2 years, 10 months ago
B & C is deleting existing logs which defeats the requirements. D is the answer
upvoted 2 times
...
asfsdfsdf
2 years, 11 months ago
Selected Answer: C
Have to choose C. The "most operationally efficient solution" is to create 1 org trail which capture and send events to a central bucket- deploy it on all member accounts - move old member accounts logs to the central buckets and delete them. see below link: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
upvoted 1 times
...
ksaru
2 years, 11 months ago
People those answered C - note that the question states that logs must be retained in the member account S3 buckets and this option deletes them. Hence, D is correct.
upvoted 2 times
sb333
2 years, 8 months ago
The logs should not be lost, so you copy them to the centralized bucket. Then there is no more need for them in the member accounts. The question does not state that they must remain in the member accounts. The answer is C.
upvoted 3 times
...
...
kangtamo
3 years ago
Selected Answer: C
Agree with C.
upvoted 1 times
...
TechIsi
3 years, 2 months ago
Correct answer is C, when you create an organizational trail and specify a bucket, all account trails are automatically configured to send to that bucket. You also have to configure the bucket policy to allow put action for all the accounts.
upvoted 2 times
...
westcon
3 years, 2 months ago
DDD https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
upvoted 1 times
...
jj22222
3 years, 3 months ago
Selected Answer: D
D. Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Configure CloudTrail in each member account to deliver log events to the central S3 bucket.
upvoted 1 times
...
lifebegins
3 years, 4 months ago
Sorry Dear Friends, Answer is C. We can created the CloudTrail in Parent Account and the set the level to Entire Orgranization, Automatically Cloud Trail applied to all member accounts. When i practically done, I understand the Truth. Answer is C:
upvoted 1 times
...
lifebegins
3 years, 4 months ago
Answer B: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html Cloud Trail cannot manage the logs for others. Only Destination bucket can be shared centrally
upvoted 2 times
...
lifebegins
3 years, 4 months ago
Answer is B: https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Security_Strategy.pdf Refer Logging Account Structure
upvoted 1 times
...
Yardenfayer
3 years, 4 months ago
its D https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html
upvoted 1 times
...
futen0326
3 years, 4 months ago
Selected Answer: D
It's D. Question explicitly states that the logs in the member accounts should not be lost. Deleting them does exactly that.
upvoted 1 times
Alvindo
3 years, 3 months ago
thought that as well BUT answer c says to migrate the existing logs to central s3 bucket so it wouldn't be lost and i believe enabling cloud trail(whole organization) in the central account is enough and you don't need to do it in each account
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel