Cross-Account Log Data Sharing in Different Regions

Correct Answers: A, B.

Relevant points here are cross-account log data sharing and cross-Region support.

Amazon Kinesis streams are currently the only resource supported as a destination for cross-account subscriptions.

This invalidates all the remaining answers based on AWS Lambda functions.

Since all steps during creation to implement cross-account are to be done in the log data recipient account, it is important to consider that role-arn is needed for impersonation while writing to an Amazon Kinesis stream, which, in this case, it has already been provided by the destination owner while creating the destination.

In order to satisfy the requirements, it is also important to specify the Region when creating a destination data stream.

Incorrect Answers:

Options C, D, E, F are incorrect even though they may be right in a separate scenario.

Because AWS Lambda is irrelevant in this context since Amazon Kinesis streams are the only resource supported as a destination for cross-account subscriptions.

References:

https://aws.amazon.com/premiumsupport/knowledge-center/streaming-cloudwatch-logs/ https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

The scenario described in the question involves configuring cross-account log data sharing to a different Region. In this context, several statements have been presented, and it is necessary to identify which ones are true. Let's examine each statement in more detail:

A. Use subscriptions to deliver the feed to the Amazon Kinesis stream. Make sure to specify the Region when creating a destination data stream.

This statement is correct. To configure cross-account log data sharing using Amazon Kinesis, it is necessary to create a subscription that delivers the feed to a Kinesis stream. When creating the destination data stream, it is crucial to specify the Region where the stream is located.

B. You do not have to provide a role-arn for this Amazon Kinesis stream because it is already provided by the destination owner while creating a destination stream.

This statement is incorrect. To create a subscription to a Kinesis stream, it is necessary to specify an IAM role-arn that has permissions to write to the destination stream. The role-arn should be provided by the destination owner.

C. The role-arn is not needed for AWS Lambda destinations because AWS CloudWatch Logs can get them from access control settings on the function itself.

This statement is partially correct. When using AWS Lambda as a destination for CloudWatch Logs, it is not necessary to specify a role-arn. Instead, CloudWatch Logs can use the access control settings on the Lambda function itself to determine the appropriate IAM role.

D. If AWS Lambda returns a throttling exception, CloudWatch Logs will retry delivery for up to 24 hours.

This statement is correct. If AWS Lambda returns a throttling exception, CloudWatch Logs will retry delivery for up to 24 hours before reporting an error.

E. Use subscriptions to deliver the feed to AWS Lambda. Make sure to specify the Region when creating a destination data stream.

This statement is correct. To configure cross-account log data sharing using AWS Lambda, it is necessary to create a subscription that delivers the feed to a Lambda function. When creating the destination data stream, it is crucial to specify the Region where the function is located.

F. You do not have to provide a role-arn for Lambda destinations because AWS CloudWatch Logs can get them from access control settings on the Lambda function itself.

This statement is correct. When using AWS Lambda as a destination for CloudWatch Logs, it is not necessary to specify a role-arn. Instead, CloudWatch Logs can use the access control settings on the Lambda function itself to determine the appropriate IAM role.

In summary, the correct statements in this scenario are A and D.