AWS Certified Data Engineer Associate DEA-C01 Practice Question
An enterprise has 30 AWS accounts in an AWS Organization. Compliance mandates that all API activity logs be retained for 7 years in immutable storage and that auditors can run ad-hoc SQL queries across the aggregated logs without building or managing ETL jobs. Which approach most effectively meets these requirements with minimal operational effort?
Create an organization-level CloudTrail Lake event data store with a 7-year retention period and grant auditors read-only Lake query permissions.
Enable AWS Config in all accounts, aggregate configuration snapshots to a central S3 bucket, and query the data with Athena.
Stream all CloudTrail events to CloudWatch Logs, forward them with Kinesis Data Firehose to Amazon OpenSearch Service, and allow auditors to run searches from Kibana.
In each account, configure CloudTrail to deliver logs to an S3 bucket protected by S3 Object Lock, then catalog the buckets with AWS Glue and query them using Amazon Athena.
A centralized organization-level CloudTrail Lake event data store automatically collects management and data events from every member account, stores them in an append-only, tamper-evident format, and supports retention periods of up to 7 years. CloudTrail Lake includes a built-in SQL query engine, so auditors can query the data directly without additional ETL or external services.
Sending CloudTrail logs to individual S3 buckets and querying with Athena adds operational overhead for bucket creation, partitioning, Glue crawlers, and retention management. AWS Config records configuration changes, not full API activity, so it does not meet the logging requirement. Streaming all logs to Amazon OpenSearch Service requires operating and scaling a cluster and uses the OpenSearch query DSL rather than standard SQL, adding complexity and management burden.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CloudTrail Lake event data store?
Open an interactive chat with Bash
Why is CloudTrail Lake preferred over S3 and Athena for this use case?
Open an interactive chat with Bash
What does tamper-evident storage mean in CloudTrail Lake?
Open an interactive chat with Bash
What is CloudTrail Lake and how does it differ from standard CloudTrail logging?
Open an interactive chat with Bash
What is S3 Object Lock, and why is it less suitable than CloudTrail Lake for immutable log storage?
Open an interactive chat with Bash
Why is AWS Config not a suitable alternative for capturing API activity logs?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .