AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

More explanation of this question please.

QUESTION: "What is the most efficient way of logging all external interaction with AWS services for your accounts globally?"

a.) Setup CloudTrail in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.

b.) Setup Log Consolidation in AWS Organizations for all accounts globally.

c.) Setup CloudTrail in each region where you have assets to store logs in S3 buckets in that region.

d.) Setup CloudWatch in each region where you have assets to store logs in S3 buckets in that region.

e.) Setup CloudWatch in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.

The question specifically says accounts and not account. The correct answer appears to be "a.) Setup CloudTrail in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region." 

I originally thought this was the correct answer until I noticed the question specifically ask for account[s]. Granted it will enable cloudtrail globally within the main account but simply setting up CloudTrail in your main region in your main account wont automatically enable it in your other accounts. will it?

In order to do this I suppose it would be possible to do so using AWS Organisations so I changed my answer to "Setup Log Consolidation in AWS Organizations for all accounts globally." which as you know is wrong.

Could someone please shed some more light on this as I am a little confused by it.

Screenshot – https://www.screencast.com/t/SSZVlxKWZIvO

Bhavik Shah

I have this confusion as well. Would appreciate feedback on this!

1 Answers

Hi Tyrone,

This is a tricky question but uses a trick that we’ve seen on the exam a few times.   The question does not say that we are using AWS Organizations and we can certainly have multiple accounts we are responsible for without using AWS Organizations.  But you may say AWS Organizations is the most efficient…but maybe it’s not.  What if we were a third-party company that monitors security for example of multiple other independent companies.  We wouldn’t use AWS Organizations in that case.  

Not saying that we have to read into the question those details, but it’s important to NOT read into the question details like assuming we can use AWS Organizations.  Another elimination factor for B is that there is no feature in AWS Organizations called Log Consolidation.  It’s actually a process involving cross-account IAM roles and normal CloudTrail stuff.

–Scott

Matthieu Lienart

I… I’m just lost… and speechless

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?