Question 613 of 1,746
Design Solutions for Organizational ComplexitymediumMultiple ChoiceObjective-mapped

Quick Answer

The correct approach is to configure VPC Flow Logs in each member account to deliver directly to a central S3 bucket in the logging account using a properly scoped bucket policy. This works because VPC Flow Logs natively support cross-account delivery to S3 when the destination bucket’s policy grants the `s3:PutObject` permission to the member account’s VPC Flow Logs service principal, using conditions like `AWS:SourceAccount` and `AWS:SourceArn` to restrict access. On the AWS Certified Solutions Architect Professional SAP-C02 exam, this scenario tests your understanding of centralized logging within AWS Organizations without requiring intermediate services like Kinesis or Lambda—a common trap is assuming you must use a delivery stream or that the logging account must pull logs. Instead, remember that VPC Flow Logs can push directly cross-account, making the bucket policy the single control point. Memory tip: “Push, don’t pull” for cross-account flow logs.

SAP-C02 Practice Question: Design Solutions for Organizational Complexity

This SAP-C02 practice question tests your understanding of design solutions for organizational complexity. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses AWS Organizations with a central logging account. They want to ensure that all VPC Flow Logs from member accounts are published to a central S3 bucket in the logging account. Which steps are required?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure VPC Flow Logs in each member account to deliver to a central S3 bucket using a bucket policy.

Option A is correct because VPC Flow Logs can be published directly to an S3 bucket in a different account by configuring the destination S3 bucket with a bucket policy that grants the required permissions (e.g., `AWS:SourceAccount` and `AWS:SourceArn`) to the member account's VPC Flow Logs service. This allows each member account to write flow logs directly to the central logging account's S3 bucket without needing intermediate services, aligning with AWS Organizations' centralized logging best practices.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure VPC Flow Logs in each member account to deliver to a central S3 bucket using a bucket policy.

    Why this is correct

    Flow Logs can deliver to S3, and bucket policy allows cross-account delivery.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use Amazon Kinesis Data Firehose to stream logs to the central bucket.

    Why it's wrong here

    Adds unnecessary complexity.

  • Create a CloudWatch Logs subscription in the central account that receives logs from all accounts.

    Why it's wrong here

    Cannot receive across accounts without subscription filter.

  • Create a CloudWatch Logs log group in each member account and use a subscription filter to forward to a central S3 bucket via Kinesis.

    Why it's wrong here

    More complex than needed.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume VPC Flow Logs must go through CloudWatch Logs or Kinesis for cross-account delivery, but AWS directly supports publishing to a cross-account S3 bucket with the correct bucket policy, making intermediate services unnecessary.

Detailed technical explanation

How to think about this question

Under the hood, VPC Flow Logs use the VPC Flow Logs service to publish log records to an S3 bucket using a bucket policy that must include conditions like `aws:SourceAccount` and `aws:SourceArn` to prevent cross-account confusion (the 'confused deputy' problem). The bucket policy must also grant `s3:PutObject` permission to the VPC Flow Logs service principal (`delivery.logs.amazonaws.com`) for the member account's flow log ARN. In real-world scenarios, this approach is preferred because it avoids the complexity and cost of streaming logs through CloudWatch Logs or Kinesis, and it directly integrates with AWS Organizations for centralized governance.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAP-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAP-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAP-C02 question test?

Design Solutions for Organizational Complexity — This question tests Design Solutions for Organizational Complexity — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Configure VPC Flow Logs in each member account to deliver to a central S3 bucket using a bucket policy. — Option A is correct because VPC Flow Logs can be published directly to an S3 bucket in a different account by configuring the destination S3 bucket with a bucket policy that grants the required permissions (e.g., `AWS:SourceAccount` and `AWS:SourceArn`) to the member account's VPC Flow Logs service. This allows each member account to write flow logs directly to the central logging account's S3 bucket without needing intermediate services, aligning with AWS Organizations' centralized logging best practices.

What should I do if I get this SAP-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

4 more ways this is tested on SAP-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company has a multi-account AWS environment with centralized logging. The security team wants to ensure that all VPC Flow Logs are published to a central S3 bucket in the logging account. Which combination of steps should be taken to achieve this?

hard
  • A.Use Amazon Kinesis Data Firehose in each account to stream logs to the central S3 bucket
  • B.Create VPC Flow Logs in each account with a custom S3 bucket ARN in the logging account, and configure the bucket policy to allow log delivery from source accounts
  • C.Create VPC endpoints in each account to connect to the central S3 bucket
  • D.Create VPC Flow Logs in each account and publish to a central CloudWatch Logs group

Why B: Option B is correct because VPC Flow Logs can be published directly to an S3 bucket in another account by specifying the bucket ARN in the logging account. The bucket policy must grant the `S3:PutObject` permission to the log delivery service principal (`delivery.logs.amazonaws.com`) for the source accounts, enabling cross-account log delivery without intermediate services.

Variation 2. A company has a centralized logging account and wants all VPC Flow Logs from all accounts to be delivered to a central S3 bucket in the logging account. Each account has a VPC Flow Log configured to deliver to a bucket in the same account. What is the most efficient way to centralize these logs?

hard
  • A.Use a Lambda function in each account to copy logs to the central bucket
  • B.Set up S3 cross-account replication from each account's bucket to the central bucket
  • C.Configure VPC Flow Logs in each account to directly deliver to the central bucket
  • D.Use CloudWatch Logs subscription filter to stream logs to the central account

Why B: Option B is correct because S3 Cross-Region Replication (CRR) or Same-Region Replication (SRR) can be configured to automatically replicate objects from each account's VPC Flow Logs bucket to a central S3 bucket in the logging account. This approach is fully managed, requires no custom code, and ensures all logs are centralized with minimal operational overhead, while preserving the original delivery mechanism.

Variation 3. A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

hard
  • A.The S3 bucket has a lifecycle policy that deletes logs after a short period.
  • B.The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.
  • C.The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
  • D.The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.

Why C: Option C is correct because the S3 bucket policy likely includes a condition that restricts access to only AWS service principals (e.g., the logging account's own services) rather than individual IAM users or roles from other accounts. Even with read-only access granted to the analyst's IAM user or role, the bucket policy's explicit deny for non-service principals overrides any allow, preventing the analyst from accessing the logs. This is a common cross-account access issue where bucket policies must explicitly allow principals from other accounts.

Variation 4. A company has a centralized logging account that receives VPC flow logs from all accounts. The logs are stored in an S3 bucket. The security team needs to analyze these logs to detect anomalous traffic patterns. Which solution provides the most cost-effective and scalable analysis?

medium
  • A.Use Amazon QuickSight to create dashboards from the flow logs.
  • B.Use Amazon Athena to run SQL queries directly on the S3 bucket containing the flow logs.
  • C.Set up Amazon Kinesis Data Analytics to process the flow logs in real time.
  • D.Load the flow logs into Amazon Redshift and run SQL queries.

Why B: Amazon Athena is the most cost-effective and scalable solution because it allows querying VPC flow logs directly in S3 using standard SQL without requiring data loading or infrastructure management. Athena's serverless, pay-per-query model eliminates idle costs and scales automatically to handle any volume of log data, making it ideal for ad-hoc security analysis of historical logs.

Keep practising

More SAP-C02 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAP-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAP-C02 exam.