AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company's security team requests that network traffic be captured in VPC Flow Logs. The logs will be frequently accessed for 90 days and then accessed intermittently. What should a solutions architect do to meet these requirements when configuring the logs?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use Amazon CloudWatch as the target. Set the CloudWatch log group with an expiration of 90 days

Use Amazon Kinesis as the target. Configure the Kinesis stream to always retain the logs for 90 days.

Use AWS CloudTrail as the target. Configure CloudTrail to save to an Amazon S3 bucket, and enable S3 Intelligent-Tiering.

Use Amazon S3 as the target. Enable an S3 Lifecycle policy to transition the logs to S3 Standard-Infrequent Access (S3 Standard-IA) after 90 days.

Explanation:

Explanation

Correct Answer: D

Why Option D is correct:

VPC Flow Logs can be published directly to Amazon S3 - This is a supported destination for VPC Flow Logs.
S3 Lifecycle policies allow you to automatically transition objects to different storage classes based on age.
S3 Standard-IA (Infrequent Access) is designed for data that is accessed less frequently but requires rapid access when needed.
The requirement states:
- Logs will be frequently accessed for 90 days (S3 Standard is appropriate)
- Then accessed intermittently after 90 days (S3 Standard-IA is appropriate)
Cost optimization: S3 Standard-IA is cheaper than S3 Standard for infrequently accessed data.

Why other options are incorrect:

A. Amazon CloudWatch with 90-day expiration:

CloudWatch Logs can retain logs for up to 10 years, but the requirement is for logs to be accessible after 90 days, just less frequently.
Setting expiration to 90 days would delete the logs entirely, not make them available intermittently.

B. Amazon Kinesis with 90-day retention:

Kinesis Data Streams have a maximum retention period of 7 days (extended retention up to 365 days is available but expensive).
Kinesis is designed for real-time data processing, not long-term log storage.
This would be expensive and not cost-effective for the requirement.

C. AWS CloudTrail with S3 Intelligent-Tiering:

CloudTrail is for API activity logging, not VPC Flow Logs.
VPC Flow Logs cannot be sent to CloudTrail as a destination.
While S3 Intelligent-Tiering could work, the approach is incorrect because it uses the wrong service (CloudTrail) as the target.

Key AWS Services Knowledge:

VPC Flow Logs Destinations: Can publish to CloudWatch Logs, S3, or Kinesis Data Firehose.
S3 Storage Classes:
- S3 Standard: Frequently accessed data
- S3 Standard-IA: Infrequently accessed data with rapid access
- S3 Intelligent-Tiering: Automatically moves data between frequent and infrequent access tiers
- S3 Glacier: Long-term archival
Lifecycle Policies: Automate transitions between storage classes based on object age.

This solution meets both the functional requirement (capturing VPC Flow Logs) and the cost optimization requirement (transitioning to cheaper storage after 90 days).

Powered ByGPT-5.2

Comments

Loading comments...