Q26 — AWS DOP-C02 Ch.1

Question 26 of 100 | ← Chapter 1

A company publishes application logs to an Amazon CloudWatch Logs log group in the us-east-1 Region. The company needs to export these logs weekly from us-east-1 to the us-west-2 Region. Logs must be encrypted in both Regions.

Correct Answer: D. Create an Amazon S3 bucket in us-east-1 and another in us-west-2. Configure server-side encryption using AWS KMS keys (SSE-KMS) and enable versioning on both S3 buckets. Create and schedule an AWS Lambda function to run weekly and export last week’s CloudWatch Logs to the us-east-1 S3 bucket. Configure replication rules on the us-east-1 S3 bucket to replicate logs to the us-west-2 S3 bucket.

Explanation

Option D is optimal because it satisfies all requirements: SSE-KMS provides stronger encryption control than SSE-S3, versioning adds durability, and cross-Region S3 replication ensures secure, managed, and consistent transfer of encrypted logs between Regions. While Option B encrypts at rest in us-west-2, it lacks encryption during transit and fails to guarantee encryption in us-east-1. Option C uses SSE-S3 and omits KMS-based encryption, reducing key management control. Option A lacks encryption in us-east-1 and does not protect data in transit. Only Option D ensures end-to-end encryption (at rest in both Regions and in transit via S3 replication) and operational simplicity.