Logo
AWS Certified Solutions Architect - Professional / Question #781 of 529

Question #781

A company operates an Amazon Aurora PostgreSQL DB cluster in a single AWS Region. The compliance team needs to continuously audit all data access and modification activities across all databases.

Which solution will meet this requirement?

A

Configure an AWS DMS CDC task with the Aurora cluster as the source and Kinesis Data Firehose as the target. Use Firehose to load data into Amazon OpenSearch Service for audit analysis.
B

Activate a database activity stream on the Aurora cluster, which sends events to Amazon EventBridge. Set up a Lambda function triggered by EventBridge to decrypt and store the activities in Amazon S3.
C

Enable a database activity stream on the Aurora cluster, directing the stream to an Amazon Kinesis data stream. Use Amazon Kinesis Data Firehose to consume the stream and store the data in Amazon S3 for auditing purposes.
D

Create an AWS DMS CDC task sourcing from Aurora and targeting Kinesis Data Firehose. Use Firehose to deliver data to Amazon Redshift, then query Redshift for audit logs.

Explanation

Option C is correct because Amazon Aurora's database activity streams are specifically designed to capture all database access and modification activities, including SQL statements, connections, and user actions. By directing the stream to Kinesis Data Stream and using Kinesis Data Firehose to store the data in S3, the solution provides a fully managed, scalable, and durable audit trail.

Other options are incorrect because:
- A & D: AWS DMS CDC captures data changes (e.g., INSERT/UPDATE/DELETE) but does not log all access activities (e.g., SELECT queries, user logins).
- B: While database activity streams can integrate with EventBridge, the activity stream data is encrypted, requiring manual decryption via Lambda. Option C avoids this complexity by using Kinesis Firehose, which handles decryption automatically.

Key Points:
1. Aurora database activity streams capture comprehensive audit data.
2. Kinesis Data Streams + Firehose provide seamless integration for streaming and storing logs in S3.
3. Avoid solutions relying on DMS or manual decryption steps for compliance use cases.

Answer

The correct answer is: C