Exam AWS Certified Security - Specialty topic 1 question 270 discussion

B https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions-Firehose.html

A centralized Amazon Kinesis Data Streams and Amazon Kinesis Data Firehose are provisioned to index log events on the centralized Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain. The CloudWatch Logs destinations created to stream log events, have Kinesis Data Streams as their target. Once the log events stream to Kinesis Data Streams, the service invokes an AWS Lambda function to transform each log event to an Amazon OpenSearch Service document, which is then put into Kinesis Data Firehose. You can monitor Kinesis Data Firehose while it sends custom CloudWatch Logs containing detailed monitoring data for each delivery stream. https://aws.amazon.com/solutions/implementations/centralized-logging/ that take me toward B

Correct answer is B. First, let's rule out KDS since the final destination is S3, then KDF is a well suite tool. Second, on each send account create a subscription filter for CW LogGroup we want. Create a subscription destination on the central account, and KDF delivery stream, and the central S3 bucket. As for CT, things are much simpler, CT in each account has a trail that points to the central S3 bucket.

We only need one delivery stream in the security team's account. Furthermore, Kinesis Data Firehose is intended for monitoring network security events in real-time. B

The Kinesis Data Firehose delivery stream should be created in the logging account only. The delivery stream will receive logs from all AWS accounts and regions where CloudWatch log groups are configured to stream logs to the delivery stream. When you configure a subscription filter in CloudWatch, you specify the Kinesis Data Firehose delivery stream as the destination for the logs. This means that the CloudWatch logs will be sent to the delivery stream, which is located in the logging account. IAM role assumed by the CloudTrail trail in each account and region should have permissions to deliver logs to the Kinesis Data Firehose delivery stream in the logging account.

C and D are wrong because Kinesis Data Streams can't write data to S3. Only Firehose can. Between A and B, both would work but B is more operationally efficient.

Option A is less operationally efficient because it would require creating a separate Kinesis Data Firehose delivery stream and a subscription for each Amazon CloudWatch Logs log group in each AWS account. This would lead to a large number of resources that would need to be managed and maintained, which would increase operational complexity and costs. Option B is more operationally efficient because it would only require creating a single Kinesis Data Firehose delivery stream and a single subscription for all the Amazon CloudWatch Logs log groups in all the accounts in the organization, which would reduce the number of resources that need to be managed and maintained, and thus simplify the overall solution.

Amazon Kinesis Data Streams is a serverless streaming data service that makes it easy to capture, process, and store data streams at any scale.

org level cloudtrail

B. https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cloudwatch-logs/ To establish cross-account and cross-Region streaming using Kinesis Data Firehose in a supported Region, perform the following steps: 1. Create an Amazon S3 bucket in the destination account. Create an AWS Identity and Access Management (IAM) role. Then, attach the required permission for Kinesis Data Firehose to push data to S3. 2. Create a destination for Kinesis Data Firehose in the destination account. Create an IAM role for Amazon CloudWatch Logs service to push data to Kinesis Data Firehose service. Then, create a destination delivery stream to which the logs will be pushed. 3. Enable VPC Flow Logs and push the logs to Amazon CloudWatch for the source account. 4. Create a subscription filter in the source account that points to the destination account. 5. Validate the flow of log events in the Amazon S3 bucket in the destination account.

answer is B. Kinesis Data Firehose support cross account access

Oranizational cloudtrail is much more EFFECTIVE https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html When you create an organization trail, a trail with the name that you give it is created in every AWS account that belongs to your organization.

Answer:B!!

Answer is B

"MOST EFFECTIVELY in terms of operational efficiency" Firehost is preferred to Stream; Setting up Firehost in a single account is preferred to multiple accounts.

B: Cross-account log data sharing using Kinesis Data Firehose Important Kinesis Data Firehose must to be created in the log data recipient account.

Storing in S3 is Firehose Cloud Trail for org level not each account