Examice

Exam SAP-C01 All QuestionsBrowse all questions from this exam

Question 925

A company uses multiple AWS accounts in a single AWS Region. A solutions architect is designing a solution to consolidate logs generated by Elastic Load

Balancers (ELBs) in the AppDev, AppTest, and AppProd accounts. The logs should be stored in an existing Amazon S3 bucket named s3-elb-logs in the central

AWS account. The central account is used for log consolidation only and does not have ELBs deployed. ELB logs must be encrypted at rest.

Which combination of steps should the solutions architect take to build the solution? (Choose two.)

Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutBucketLogging action for the central AWS account ID.

Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject and s3:DeleteObject actions for the AppDev, AppTest, and AppProd account IDs.

Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject action for the AppDev, AppTest, and AppProd account IDs.

Enable access logging for the ELBs. Set the S3 location to the s3-elb-logs bucket.

Enable Amazon S3 default encryption using server-side encryption with S3 managed encryption keys (SSE-S3) for the s3-elb-logs S3 bucket.

Correct Answer: C, D

To consolidate ELB logs into the central S3 bucket, the solution architect should first update the S3 bucket policy to allow the AppDev, AppTest, and AppProd accounts to put objects into the bucket. This ensures the accounts can write their logs to the specified bucket. Additionally, access logging must be enabled for the ELBs and set to point to the s3-elb-logs bucket; this directs the ELB logs to the correct S3 location. Encryption by default does not need to be enabled again as existing S3 buckets typically already handle this.

Discussion

gnicOption: C

CE E is for encryption

dubyaF

unfortunately you gave permission but did not send any logs into your bucket. Your existing bucket was already encrypted by default, so this step was not needed. You did not select D so you were not able to point to your bucket that you just gave permission to. You can only point to this bucker when you turn on access logging.

dubyaF

Additionally, it will also fail to point to this bucket unless the permissions are there. So C and D are the only 2 that work together in actual console that I tested when I turned on logging for my ELB to an existing bucket.

AjayD123Option: D

C & D access logging is disabled by default, while S3 encryption is enabled by default with no option to disable hence E is not required.

zozza2023Option: C

C and E are the answers

AwsBRFanOption: C

C and E (Choose 2 options) looks like examtopics did a mistake with this one

Biden

D is also needed in addition to C & E. just assume D is already enabled hence C,E

fdoxxx

Biden is right! We would rather assume that (C) is already done: "The central account is used for log consolidation only and does not have ELBs deployed. ELB logs must be encrypted at rest." But for sure we need to fulfill D to have ELBs logs collected. I will go for D, E

fdoxxx

Access logs is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logs for your load balancer, Elastic Load Balancing captures - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logs at any time.

Rakesh8585

CDE 3 are correct !!! C: For permissions D: enable access logs E: Encryption

dubyaF

Yes but E was done before the question because this is an "existing Amazon S3 bucket". I just did this test, I had to do C and D to finish the task. I did not have to do E as it was already that way.

WhyIronManOption: D

CD, ENCRYPTION is enabled by default

dubyaF

"an existing Amazon S3 bucket" E is not needed on an existing Amazon S3 bucket-- there is no bucket without encryption on now. I just enabled logging on an ELB, I had to add the permissions "C" and I had to enable access logging to point to my existing bucket. I did not have to encrypt my existing bucket as they all are already that way. C and D

masetromainOption: C

The solutions architect should take steps C and E to meet the requirements. Step C: Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject action for the AppDev, AppTest, and AppProd account IDs. Step E: Enable Amazon S3 default encryption using server-side encryption with S3 managed encryption keys (SSE-S3) for the s3-elb-logs S3 bucket. This will allow the AppDev, AppTest, and AppProd accounts to write log files to the specified S3 bucket and encrypt them at rest.

syaldram

C and E

sjpd10

CE The bucket is already owned by 'central' account, so the perms are for the three teams only (Option B) Opt E is the only choice for encryption and works just fine.

sjpd10

Sorry, typo. I meant Option C. The 'Delete' option in OptionB is not required.

fdoxxxOption: D

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Blair77Option: E

C & E right

sodasu

C&E right

skywalkerOption: C

CE Ticky as there is no Organization involve and thus D is out...