Learn how to create a centralized solution to analyze log files across an AWS organization, including AWS accounts, AWS Marketplace offerings, and on-premises systems. Prepare for the AWS Certified Security – Specialty SCS-C02 exam.
Table of Contents
Question
A company needs to create a centralized solution to analyze log files. The company uses an organization in AWS Organizations to manage its AWS accounts.
The solution must aggregate and normalize events from the following sources:
- The entire organization in Organizations
- All AWS Marketplace offerings that run in the company’s AWS accounts
- The company’s on-premises systems
Which solution will meet these requirements?
A. Configure a centralized Amazon S3 bucket for the logs. Enable VPC Flow Logs, AWS CloudTrail. and Amazon Route 53 logs in all accounts. Configure all accounts to use the centralized S3 bucket. Configure AWS Glue crawlers to parse the log files. Use Amazon Athena to query the log data.
B. Configure log streams in Amazon CloudWatch Logs for the sources that need monitoring Create log subscription filters for each log stream. Forward the messages to Amazon OpenSearch Service for analysis.
C. Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.
D. Apply an SCP to configure all member accounts and services to deliver log files to a centralized Amazon S3 bucket. Use Amazon OpenSearch Service to query the centralized S3 bucket for log entries.
Answer
C. Set up a delegated Amazon Security Lake administrator account in Organizations. Enable and configure Security Lake for the organization. Add the accounts that need monitoring. Use Amazon Athena to query the log data.
Explanation
Key points:
- Amazon Security Lake provides a centralized solution to aggregate, normalize, and analyze log data across AWS accounts, regions, and on-premises systems
- You can set up a delegated admin account in AWS Organizations to manage Security Lake for the entire organization
- Once enabled, you add the accounts that need monitoring to Security Lake
- Security Lake automatically collects and normalizes log data from sources like CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, and more
- It also supports ingesting custom log sources and logs from 3rd party SaaS apps
- The normalized data is stored in a purpose-built data lake and partitioned for efficient querying
- You can then use services like Amazon Athena to easily query and analyze the aggregated log data
The other options have some limitations:
A) Using a centralized S3 bucket with AWS Glue would require more manual configuration of log sources and parsing. It doesn’t automatically handle normalization.
B) Using CloudWatch Logs and OpenSearch would require setting up log streams and subscription filters for each source individually. It doesn’t provide the same level of centralization and automation as Security Lake.
D) Applying an SCP wouldn’t automatically configure log delivery from all the required sources. Querying the logs directly from S3 with OpenSearch wouldn’t be as efficient as using a purpose-built analytics service like Athena.
Therefore, using Amazon Security Lake is the best solution to centrally aggregate, normalize, and analyze diverse log sources across an entire AWS organization. Its automation and integration with Analytics services makes it the most comprehensive and efficient option.
Amazon AWS Certified Security – Specialty SCS-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty SCS-C02 exam and earn Amazon AWS Certified Security – Specialty SCS-C02 certification.