ExpertAWS SAP-C02 · Question 52 · Domain 1.4: Multi-Account Environment
An enterprise is setting up a centralized logging architecture using AWS Organizations. They want all VPC Flow Logs, AWS CloudTrail logs, and Amazon Route 53 DNS logs from all member accounts to be sent to a central Amazon S3 bucket in a dedicated 'Log Archive' account. Which TWO configurations are required to achieve this securely? (Select TWO)
An enterprise is setting up a centralized logging architecture using AWS Organizations. They want all VPC Flow Logs, AWS CloudTrail logs, and Amazon Route 53 DNS logs from all member accounts to be sent to a central Amazon S3 bucket in a dedicated 'Log Archive' account. Which TWO configurations are required to achieve this securely? (Select TWO)
Answer options:
Create IAM cross-account roles in the Log Archive account for each member account to assume.
Configure an S3 bucket policy on the central bucket that grants write access to the specific AWS services (CloudTrail, VPC Flow Logs, Route 53) from the organization's accounts.
Encrypt the central S3 bucket using an AWS KMS Customer Managed Key (CMK) and share the key policy with the organization.
Use AWS Resource Access Manager (RAM) to share the S3 bucket with the organization.
Configure VPC Peering between all member accounts and the Log Archive account.
Enable S3 Block Public Access only on the member accounts.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1
75 questions · hints · full answers · grading