Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 122 discussion

I think C is the best option.

C is the better option as cloudtrail can send logs directly to s3 bucket in other account. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

The C is perfect

cccccccccccc

CCCCCCCCCCCCCC

Vote C

B and C are correct, but C is the best. The company has internal auditors that requires access to bucket in centralize account....obviously the internal auditors has accounts already just like the developers have account. What the auditors need is to assume the role created with read-only access policy. That is efficient and super secure. (IMO)

Answer C For all people confused why the IAM role, please check below To share log files between multiple AWS accounts, you must perform the following general steps. ======= Create an IAM role for each account that you want to share log files with. For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with. Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files. ======= so the auditor here will access the logs programmatically assuming the read only role. more details here : https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html

Why is Lambda inappropriate for this answer

Answer is C

Some disagreement here over B vs C - I get that - but if torn between the two simply consider "full permissions" (B) vs "read-only permissions" (C). An auditor should have read-only. so it's C in fact.

C, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account.

I had this one on the exam, I choosed C, but it is still unclear to me what is really correct. This statement can be for "optimized" in the question's requirement: An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Answer is C: Both answers B & C serve the requirement. Following the security best practise " Grant Least Privilege" we can select answer C. Security Best Practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege Sending Cloud Trail logs to multiple accounts: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

Cloud tail can deliver logs to a central AWS account. No need for lambda. Now it's between B&C. The difference between the two is that in C the audit is done using a different account as it says "create a role which has a read-only policy". A role can be assumed for an IAM user in a different account (B) to grant access to resources in the account (A). But the Q did not mention the audit using a separate account. It's using the central account. SO the correct answer is B. we just need a user in the same account.

C. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central account. Create an IAM role in the central account for the auditor. Attach an IAM policy providing read-only permissions to the bucket.

Answer is B. A/D are wrong as it is not necessary to use a Lambda function: CloudTrail can deliver log files in multiple buckets (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html), by chosing these is wouldn't be "optimized". C is wrong as it states to create an "IAM role", which is not correct: Auditors is a real user not a principal so B remains. Read only/Full access is not important as Devs won't be able to access that bucket anyway.