Q26 — AWS DEA-C01 Ch.1

Question 26 of 100 | ← Chapter 1

A company has a production AWS account that runs company workloads. The company's security team created a security AWS account to store And analyze security logs from the production AWS account. The security logs in the production AWS account are stored in Amazon CloudWatch Logs. The company needs to use Amazon Kinesis Data Streams to deliver the security logs to the security AWS account. Which solution will meet these requirements?

Correct Answer: B. Create a destination data stream in the security AWS account. Create an IAM role and a trust policy to grant CloudWatch Logs the permission to put data into the stream. Create a subscription filter in the security AWS account.

Explanation

AWS服务集成与跨账户访问设置。涉及Amazon CloudWatch Logs与Kinesis Data Streams的跨账户数据传输场景。正确方法需确保目标数据流位于安全账户,并授予生产账户的CloudWatch Logs服务写入权限。根据AWS架构最佳实践,跨账户场景需在目标账户创建资源并配置信任策略。选项A错误,因数据流应在安全账户而非生产账户;选项C方向错误,数据流不应留在生产账户。选项B符合AWS文档指引:在安全账户创建数据流,使用IAM角色信任策略允许来自生产账户的CloudWatch Logs发布数据,并在生产账户配置订阅过滤器指向安全账户的流。