Which solution will meet these requirements?
Enable Organizations backup policies to back up all log groups to a dedicated S3 bucket. Add an S3 bucket policy that allows access from all accounts that belong to the company.
Create a backup plan in AWS Backup. Specify a dedicated S3 bucket as a backup vault. Assign all CloudWatch Logs log group resources to the backup plan. Create resource assignments in the backup plan for all accounts that belong to the company.
Create a backup plan in AWS Backup. Specify a dedicated S3 bucket as a backup vault. Assign all existing log groups to the backup plan. Create resource assignments in the backup plan for all accounts that belong to the company. Create an AWS Systems Manager Automation runbook to assign log groups to a backup plan. Create an AWS Config rule that has an automatic remediation action for all noncompliant log groups. Specify the runbook as the rule’s target.
Create a CloudWatch Logs destination and an Amazon Kinesis Data Firehose delivery stream in the dedicated AWS account. Specify the S3 bucket as the destination of the delivery stream. Create subscription filters for all existing log groups in all accounts. Create an AWS Lambda function to call the CloudWatch Logs PutSubscriptionFilter API operation. Create an Amazon EventBridge rule to invoke the Lambda function when a CreateLogGroup event occurs.
Explanations:
Organizations backup policies do not exist for CloudWatch Logs; hence, this option does not provide a viable solution for sending CloudWatch Logs to S3. S3 bucket policies alone would not suffice to ensure logs from all log groups are captured.
AWS Backup cannot back up CloudWatch Logs directly to S3, and a backup plan must be created for specific resources. This option requires manual assignment of existing log groups, which does not accommodate future log groups automatically.
Similar to option B, AWS Backup does not support direct backup of CloudWatch Logs to S3. While a runbook and AWS Config rule could help with future log groups, the fundamental approach of using AWS Backup is flawed for this use case.
This option utilizes a CloudWatch Logs destination and Kinesis Data Firehose to deliver logs to an S3 bucket, which meets the requirement for all existing and future log groups. The Lambda function and EventBridge rule automate the subscription filter creation for new log groups, ensuring comprehensive coverage.