Q89 — AWS DOP-C02 Ch.2
Question 89 of 100 | ← Chapter 2
A company manages multiple accounts within an AWS Organizations organization. The company requires a solution to send Amazon CloudWatch Logs data to a dedicated AWS account's Amazon S3 bucket. The solution must support both existing and future CloudWatch Logs log groups.
- A. Enable an Organization-wide backup policy to back up all log groups to the dedicated S3 bucket. Add an S3 bucket policy allowing access from all company-owned accounts.
- B. Create a backup plan in AWS Backup. Specify the dedicated S3 bucket as the backup vault. Assign all CloudWatch Logs log group resources to the backup plan. Create resource assignments for all company-owned accounts in the backup plan.
- C. Create a backup plan in AWS Backup. Specify the dedicated S3 bucket as the backup vault. Assign all existing log groups to the backup plan. Create resource assignments for all company-owned accounts in the backup plan. Create an AWS Systems Manager Automation runbook to assign log groups to the backup plan. Create an AWS Config rule with automatic remediation for noncompliant log groups, specifying the runbook as the rule target.
- D. Create a CloudWatch Logs destination and an Amazon Kinesis Data Firehose delivery stream in the dedicated AWS account. Specify the S3 bucket as the delivery stream destination. Create subscription filters for all existing log groups across all accounts. Create an AWS Lambda function to invoke the CloudWatch Logs PutSubscriptionFilter API operation. Create an Amazon EventBridge rule to invoke the Lambda function on LogGroup creation events. ✓
Correct Answer: D. Create a CloudWatch Logs destination and an Amazon Kinesis Data Firehose delivery stream in the dedicated AWS account. Specify the S3 bucket as the delivery stream destination. Create subscription filters for all existing log groups across all accounts. Create an AWS Lambda function to invoke the CloudWatch Logs PutSubscriptionFilter API operation. Create an Amazon EventBridge rule to invoke the Lambda function on LogGroup creation events.
Explanation
Cross-account CloudWatch Logs forwarding in AWS requires the subscription filter mechanism paired with Kinesis Data Firehose for real-time streaming. Option D implements this by creating a log destination and delivery stream to ensure all accounts’ logs are streamed in real time to the target S3 bucket. The Lambda function automatically registers subscriptions for new log groups, and the EventBridge rule triggers the Lambda on log group creation, guaranteeing automatic inclusion of future resources. Backup-based alternatives (Options A–C) introduce latency and lack real-time synchronization, and cannot automate handling of newly created log groups.