ExpertAWS SAP-C02 · Question 04 · Domain 1.4: Multi-Account Environment
A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that all VPC flow logs across all member accounts are centralized into a single Amazon S3 bucket in a dedicated Log Archive account. The solution must prevent member account administrators from modifying or deleting the flow logs. What is the MOST operationally efficient solution?
A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that all VPC flow logs across all member accounts are centralized into a single Amazon S3 bucket in a dedicated Log Archive account. The solution must prevent member account administrators from modifying or deleting the flow logs. What is the MOST operationally efficient solution?
Answer options:
Create a custom AWS Config rule in each account to enforce VPC Flow Logs. Use an IAM role to write to the central bucket.
Use AWS CloudFormation StackSets delegated administration to deploy VPC Flow Logs to all accounts. Apply an SCP to deny ec2:DeleteFlowLogs.
Configure AWS CloudTrail to capture VPC Flow Logs and route them to the Control Tower Log Archive bucket.
Use Amazon EventBridge in each account to route flow logs to a central Kinesis Data Firehose.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading