AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your organization operates 15 AWS accounts, each running microservices that emit structured JSON application logs to Amazon CloudWatch Logs. The operations team needs to search and visualize log data across all accounts in near-real time from a single location, run CloudWatch Logs Insights queries without switching roles, and keep the solution entirely within AWS-managed services while minimizing long-term operational overhead.
Which approach will MOST effectively meet these requirements?
Use AWS Resource Access Manager (RAM) to share each CloudWatch log group with a monitoring account, then run CloudWatch Logs Insights queries and build dashboards centrally.
Designate a central monitoring account and enable Amazon CloudWatch cross-account observability with Observability Access Manager (OAM). Link each source account to share the required log groups, then run CloudWatch Logs Insights queries and build dashboards in the monitoring account.
Deploy an Amazon OpenSearch Service domain in a shared-services account and configure CloudWatch Logs subscription filters in each account to send logs to the domain for cross-account analysis in OpenSearch Dashboards.
Create CloudWatch Logs subscription filters in every account to stream logs to an Amazon Kinesis Data Firehose that delivers to an S3 bucket in a logging account, and use Amazon Athena in that account to query the consolidated logs.
CloudWatch cross-account observability lets you designate one monitoring account and link it to multiple source accounts by using Observability Access Manager (OAM). When log groups are shared, they appear in the monitoring account's console, allowing operators to execute CloudWatch Logs Insights queries and create dashboards without assuming roles or moving data. All telemetry stays in AWS-managed CloudWatch, so there is no additional infrastructure to deploy or manage.
Streaming logs to Amazon S3 and querying with Athena introduces delivery buffers, extra storage, and administration, and it forgoes native Logs Insights capabilities. Sending logs to a self-managed OpenSearch Service domain also creates additional operational burden and cost. CloudWatch log groups cannot be shared through AWS Resource Access Manager; cross-account visibility is provided only through OAM, so that alternative is not feasible.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Observability Access Manager (OAM) in AWS?
Open an interactive chat with Bash
Why is CloudWatch cross-account observability better than using Amazon Athena for this use case?
Open an interactive chat with Bash
What are the limitations of using AWS Resource Access Manager (RAM) for sharing CloudWatch log groups?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access