How should a solutions architect meet these requirements?
Configure an AWS Lambda function in each developer account to copy the log files to the central account. Create an IAM role in the central account for the auditor. Attach an IAM policy providing read-only permissions to the bucket.
Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central account. Create an IAM user in the central account for the auditor. Attach an IAM policy providing full permissions to the bucket.
Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central account. Create an IAM role in the central account for the auditor. Attach an IAM policy providing read-only permissions to the bucket.
Configure an AWS Lambda function in the central account to copy the log files from the S3 bucket in each developer account. Create an IAM user in the central account for the auditor. Attach an IAM policy providing full permissions to the bucket.
Explanations:
While this option uses a Lambda function to copy logs, it creates unnecessary complexity and doesn’t centralize log delivery directly from the developer accounts to the central account, which is more efficient.
Although it delivers logs to the central account, giving full permissions to the auditor is not secure. The requirement specifies read-only access to ensure security.
This option correctly configures CloudTrail to deliver logs to the central account and uses a role with read-only permissions, aligning with security requirements while optimizing log access.
This option involves a Lambda function in the central account to copy logs, which is not needed if logs are delivered directly from the developer accounts. Also, it grants full permissions, which is not secure.