SAP-C02 第 338 题
题目
A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing. A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process. Which combination of steps should the solutions architect take to meet the requirements? (Choose three.)
中文翻译:
一家公司需要将其 AWS 账户中的 Amazon CloudWatch 日志聚合到一个中央日志记录账户中。收集的日志必须保留在创建的 AWS 区域中。然后,中央日志记录帐户将处理日志,将日志标准化为标准输出格式,并将输出日志流式传输到安全工具以进行更多处理。解决方案架构师必须设计一个能够处理需要摄取的大量日志记录数据的解决方案。正常工作时间之外发生的日志记录比正常工作时间内发生的日志记录要少。日志记录解决方案必须根据预期负载进行扩展。解决方案架构师决定使用 AWS Control Tower 设计来处理多账户日志记录过程。解决方案架构师应该采取哪些步骤组合来满足要求? (选择三项。)
选项
A. Create a destination Amazon Kinesis data stream in the central logging account.
中文翻译:
在中央日志记录账户中创建目标 Amazon Kinesis 数据流。
B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central logging account.
中文翻译:
在中央日志记录账户中创建目标 Amazon Simple Queue Service (Amazon SQS) 队列。
C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data stream. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
中文翻译:
创建一个 IAM 角色,向 Amazon CloudWatch Logs 授予将数据添加到 Amazon Kinesis 数据流的权限。制定信托政策。指定 IAM 角色中的信任策略。在每个成员账户中,为每个日志组创建订阅筛选器以将数据发送到 Kinesis 数据流。
D. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Simple Queue Service (Amazon SQS) queue. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.
中文翻译:
创建一个 IAM 角色,向 Amazon CloudWatch Logs 授予将数据添加到 Amazon Simple Queue Service (Amazon SQS) 队列的权限。制定信托政策。指定 IAM 角色中的信任策略。在每个成员帐户中,为所有日志组创建单个订阅过滤器,以将数据发送到 SQS 队列。
E. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.
中文翻译:
创建 AWS Lambda 函数。对 Lambda 函数进行编程,以规范中央日志记录帐户中的日志并将日志写入安全工具。
F. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.
中文翻译:
创建 AWS Lambda 函数。对 Lambda 函数进行编程,以规范成员帐户中的日志并将日志写入安全工具。
答案
ACE
解析
正确答案:ACE 解析: 本题应选择 ACE。 正确选项: A. 在中央日志记录账户中创建目标 Amazon Kinesis 数据流。 C. 创建一个 IAM 角色,向 Amazon CloudWatch Logs 授予将数据添加到 Amazon Kinesis 数据流的权限。制定信托政策。指定 IAM 角色中的信任策略。在每个成员账户中,为每个日志组创建订阅筛选器以将数据发送到 Kinesis 数据流。 E. 创建 AWS Lambd...