AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your organization operates more than 200 AWS accounts under AWS Organizations. A dedicated log-archive account must store every account's CloudTrail management and data events in an encrypted S3 bucket. The security-ops account must receive near-real-time alerts whenever any account calls CreateNetworkInterface or DeleteTrail. The solution must automatically include future member accounts and require as little ongoing maintenance as possible.
Which architecture will satisfy these requirements?
Use CloudFormation StackSets to deploy an account-level CloudTrail trail, CloudWatch Logs group, metric filter, and alarm in every account. Configure each alarm to publish to an SNS topic in the security-ops account.
Enable AWS Config recorders in all accounts and aggregate the data with an organization AWS Config aggregator in the security-ops account. Deploy a managed Config rule that flags network interface creation and trail deletion and sends findings to SNS.
Create an organization CloudTrail trail that writes to an SSE-KMS-encrypted S3 bucket in the log-archive account. In the security-ops account, create a custom EventBridge event bus with an organization-wide resource policy and an EventBridge rule that matches CreateNetworkInterface and DeleteTrail and sends the events to an SNS topic.
Enable AWS Control Tower to create a central trail. Add an S3 ObjectCreated notification on the log-archive bucket that invokes a Lambda function in the security-ops account to scan new log files and publish SNS notifications when the two API calls are found.
An organization-wide CloudTrail trail created in the management account automatically covers all current and future member accounts and can deliver logs to an SSE-KMS-encrypted S3 bucket in the log-archive account. CloudTrail management events appear almost immediately on Amazon EventBridge as AWS API Call via CloudTrail events. A custom EventBridge event bus in the security-ops account can allow events from the entire organization through a resource-based policy; a rule that matches CreateNetworkInterface and DeleteTrail then forwards notifications to an SNS topic for the security team. This design meets the central storage, near-real-time alerting, auto-enrollment, and low-operations requirements.
Alternatives that deploy separate trails, metric filters, or alarms in every account create high operational overhead and must be redeployed for new accounts. Parsing S3 ObjectCreated events with Lambda introduces latency and complexity, and AWS Config rules do not deliver real-time API-call visibility or detect trail deletion directly. Therefore these approaches do not satisfy all requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of AWS CloudTrail in this architecture?
Open an interactive chat with Bash
How does the EventBridge event bus in the security-ops account work?
Open an interactive chat with Bash
Why are the other approaches incorrect or less suitable?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access