AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer proposes a scalable, real-time, and decoupled architecture for centralizing logs. This approach uses a central Kinesis Data Stream as a destination for log events from multiple source accounts and regions. In each source account, a CloudWatch Logs subscription filter is used to push log events to the central stream. A Lambda function in the central account then consumes these logs from the stream and forwards them to a centralized CloudWatch Log Group. This enables unified analysis with CloudWatch Logs Insights, creation of metric filters for alarming, and consolidated visualization through cross-account dashboards. This 'push' model is highly scalable and considered a best practice for centralized logging.

The option suggesting a 'pull' model using a script on an EC2 instance to assume roles and fetch logs is less efficient. It is not real-time, can be complex to manage, and may encounter API throttling limits at scale. The solution proposing direct logging from the CloudWatch agent and Lambda functions to a central account's log group is not a standard or supported pattern; the CloudWatch agent requires credentials for cross-account logging, which is poor security practice, and Lambda functions natively log to their own account. The CloudWatch cross-account observability feature is a valid tool but is designed for linking a source account in one region to a monitoring account in the same region. It does not natively aggregate logs from multiple regions into a single, centralized location for unified querying, making it insufficient for this multi-region scenario.