AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your company has ten AWS accounts under AWS Organizations. For compliance, the data engineering team must: capture all API activity in every account, store the logs centrally in a dedicated log-archive account for 7 years using immutable storage, and allow auditors to run ad-hoc SQL queries on the logs without copying them to another system. Which solution meets these requirements with the least operational effort?
Enable CloudTrail in every account and stream the logs from Amazon CloudWatch Logs to a centralized Amazon OpenSearch Service cluster, giving auditors Kibana access for queries.
Turn on AWS Config aggregation across the organization, store configuration snapshots in an S3 bucket with Object Lock, and let auditors query the snapshots with AWS Config advanced queries.
Create a single organization CloudTrail that delivers logs to an S3 bucket in the log-archive account with S3 Object Lock enabled. Enable CloudTrail Lake in that account and grant auditors read-only access to a 7-year event data store.
Run an AWS Glue crawler in each account to crawl local CloudTrail S3 logs and load them into a shared Amazon Redshift cluster that auditors can query.
Creating an organization-wide CloudTrail trail automatically records every AWS API call in every member account. Delivering the trail to an S3 bucket that has S3 Object Lock in compliance mode makes the objects write-once-read-many (WORM), satisfying the 7-year immutability requirement without extra infrastructure. Enabling CloudTrail Lake in the log-archive account (and making that account the delegated administrator) creates an event data store that is automatically populated from the same trail. CloudTrail Lake supports SQL-based queries, so auditors can run ad-hoc searches on the stored events without moving the data.
Sending events to CloudWatch Logs and OpenSearch would capture the activity but does not provide native immutability and requires operating an OpenSearch cluster. AWS Config aggregates resource configuration changes, not all API calls, so it fails the capture requirement. Crawling individual account logs into Redshift adds ETL overhead, does not ensure immutability, and requires maintaining the Redshift cluster. Therefore, the organization CloudTrail plus CloudTrail Lake solution is the most efficient and compliant choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS CloudTrail and its role in compliance?
Open an interactive chat with Bash
What is S3 Object Lock, and how does it ensure data immutability?
Open an interactive chat with Bash
What is CloudTrail Lake, and how do auditors use it for SQL queries?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Security and Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .