AWS Certified Data Engineer Associate DEA-C01 Practice Question
Your company runs multiple AWS Glue jobs whose execution logs are written to Amazon CloudWatch Logs in the data-engineering account. Compliance requires retaining an immutable copy of all log events for 7 years in a separate audit account where auditors can run ad-hoc Amazon Athena queries. The data-engineering team wants a managed solution that requires no changes to existing Glue jobs and minimal maintenance. Which solution meets these requirements MOST effectively?
Enable AWS CloudTrail Lake in the data-engineering account and share the lake with the audit account to provide long-term, queryable storage of the Glue logs.
Create a CloudWatch Logs subscription filter that sends each Glue log group to a Kinesis Data Firehose delivery stream writing to an S3 bucket in the audit account. Enable S3 Object Lock compliance mode and allow Athena access.
Schedule an AWS Lambda function that uses the aws logs export-task CLI command to periodically export each log group to an S3 Standard-IA bucket, then replicate the bucket to the audit account.
Modify every Glue job to write its logs directly to an S3 bucket in the audit account using a custom Python logger configured with S3 Object Lock.
A CloudWatch Logs subscription filter can continuously stream log events from each Glue log group to a Kinesis Data Firehose delivery stream. Firehose can deliver the data directly to an Amazon S3 bucket in the audit account. Enabling S3 Object Lock in compliance mode on that bucket makes the objects immutable for the required 7-year retention, and Athena can query the logs in place.
Export-task automation requires a Lambda scheduler, supports only periodic batches, and is limited to one concurrent export task, creating operational overhead. Modifying every Glue job to write logs to S3 violates the requirement to avoid job changes. CloudTrail Lake natively ingests CloudTrail events only; ingesting CloudWatch Logs would need a custom integration and additional maintenance, so it does not satisfy the constraints. Therefore, streaming the logs with a CloudWatch Logs subscription filter and Kinesis Data Firehose to an Object-Lock-protected S3 bucket is the most effective approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CloudWatch Logs subscription filter?
Open an interactive chat with Bash
What does S3 Object Lock compliance mode do?
Open an interactive chat with Bash
How does Kinesis Data Firehose work with S3?
Open an interactive chat with Bash
AWS Certified Data Engineer Associate DEA-C01
Data Operations and Support
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .