Which solution should the database specialist recommend?
Enable Aurora Database Activity Streams on the database in synchronous mode. Connect the Amazon Kinesis data stream to Kinesis Data Firehose. Set the Kinesis Data Firehose destination to an Amazon S3 bucket.
Create an AWS CloudTrail trail in the Region where the database runs. Associate the database activity logs with the trail.
Enable Aurora Database Activity Streams on the database in asynchronous mode. Connect the Amazon Kinesis data stream to Kinesis Data Firehose. Set the Firehose destination to an Amazon S3 bucket.
Allow connections to the DB cluster through a bastion host only. Restrict database access to the bastion host and application servers. Push the bastion host logs to Amazon CloudWatch Logs using the CloudWatch Logs agent.
Explanations:
Enabling Aurora Database Activity Streams in synchronous mode could have an impact on performance, and the audit requirement does not mention the need for real-time synchronous logging. Asynchronous mode would be a better option for minimal impact.
AWS CloudTrail primarily records API calls made to AWS services, not database-level activity within the database itself. CloudTrail won’t capture detailed database queries or admin activity within Aurora PostgreSQL.
Aurora Database Activity Streams in asynchronous mode is the most efficient option for capturing detailed database access and activity logs with minimal impact on performance. Kinesis Data Firehose allows easy delivery to an S3 bucket for long-term storage.
Restricting DB access via a bastion host only and pushing bastion logs to CloudWatch is not an efficient solution for capturing detailed database activity. This method does not directly log database-level events, such as SQL queries or database administrator actions.