Which design meets these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A bank is designing an online customer service portal where customers can chat with customer service agents.The portal is required to maintain a 15-minuteRPO or RTO in case of a regional disaster.Banking regulations require that all customer service chat transcripts must be preserved on durable storage for at least7 years, chat conversations must be encrypted in-flight, and transcripts must be encrypted at rest.The Data Loss Prevention team requires that data at rest must be encrypted using a key that the team controls, rotates, and revokes.

Which design meets these requirements?

The chat application logs each chat message into Amazon CloudWatch Logs. A scheduled AWS Lambda function invokes a CloudWatch Logs CreateExportTask every 5 minutes to export chat transcripts to Amazon S3. The S3 bucket is configured for cross-region replication to the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the S3 bucket.

The chat application logs each chat message into two different Amazon CloudWatch Logs groups in two different regions, with the same AWS KMS key applied. Both CloudWatch Logs groups are configured to export logs into an Amazon Glacier vault with a 7-year vault lock policy with a KMS key specified.

The chat application logs each chat message into Amazon CloudWatch Logs. A subscription filter on the CloudWatch Logs group feeds into an Amazon Kinesis Data Firehose which streams the chat messages into an Amazon S3 bucket in the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the Kinesis Data Firehose.

The chat application logs each chat message into Amazon CloudWatch Logs.  The CloudWatch Logs group is configured to export logs into an Amazon Glacier vault with a 7-year vault lock policy. Glacier cross-region replication mirrors chat archives to the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the Amazon Glacier vault.

Explanations:

Exporting logs every 5 minutes does not meet the 15-minute RPO. If a disaster occurs just before the export task runs, up to 5 minutes of data could be lost. While cross-region replication of the S3 bucket addresses DR, the RPO is not met. Also, using separate KMS keys for CloudWatch Logs and S3, while not inherently wrong, doesn’t address the DLP team’s requirement for them to control, rotate, and revoke the key used for dataat rest.

Logging to two CloudWatch Logs groups in different regions does provide redundancy. However, exporting directly to Glacier is not a standard or efficient way to achieve DR. Glacier is for long-term archival, not for rapid recovery. The 7-year vault lock policy meets the retention requirement, but it makes recovery very slow, violating the 15-minute RTO. Using thesameKMS key in both regions does not address the DLP team’s requirement.

Using a CloudWatch Logs subscription filter to stream data to Kinesis Data Firehose provides continuous data streaming to S3 in the backup region. This, combined with cross-region replication of the S3 bucket, meets the 15-minute RPO. Specifying separate KMS keys for CloudWatch Logs and Firehose ensures encryption in transit. The key used to encrypt the S3 bucket can be managed by the DLP team to meet their requirements for key control, rotation, and revocation.

Exporting directly to Glacier does not meet the 15-minute RTO, as retrieving data from Glacier can take several hours. While Glacier cross-region replication provides DR, the retrieval time makes this option unsuitable for a quick recovery. Similar to option A, using a separate KMS key for Glacier, while not incorrect, does not specifically satisfy the requirement that the DLP team controls the key used for data at rest.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × two =