Exam AWS Certified Data Engineer - Associate DEA-C01 topic 1 question 34 discussion

Cross-Account Delivery: Kinesis Data Streams in the security account ensures the logs reside in the designated security-focused environment. CloudWatch Logs Integration: Granting CloudWatch Logs permissions to put records into the Kinesis Data Stream directly establishes a streamlined and secure data flow from the production account. Filtering Controls: The subscription filter in the production account provides precise control over which log events are sent to the security account.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters-AccountLevel.html#DestinationKinesisExample-AccountLevel

1. **Cross-Account Access:** - AWS Documentation: [Cross-Account Access] https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html - This documentation provides detailed instructions on how to set up cross-account access using IAM roles and trust policies, which is essential for allowing CloudWatch Logs in one AWS account to put data into a Kinesis Data Stream in another AWS account. 2. **Configuring CloudWatch Logs Subscription Filters:** - AWS Documentation: [Subscription Filters for Amazon CloudWatch Logs] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html - This documentation explains how to create subscription filters for CloudWatch Logs, which enable you to route log data to various destinations, including Kinesis Data Streams. Placing the subscription filter in the production AWS account ensures that only the relevant security logs are sent to the Kinesis Data Stream in the security AWS account.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions-Kinesis.html

Both ChatGPT and me agree with anser D