Which combination of steps should the solutions architect take to build the solution?
(Choose two.)
Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutBucketLogging action for the central AWS account ID.
Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject and s3:DeleteObject actions for the AppDev, AppTest, and AppProd account IDs.
Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject action for the AppDev, AppTest, and AppProd account IDs.
Enable access logging for the ELBs. Set the S3 location to the s3-elb-logs bucket.
Enable Amazon S3 default encryption using server-side encryption with S3 managed encryption keys (SSE-S3) for the s3-elb-logs S3 bucket.
Explanations:
The actions3:PutBucketLoggingis not necessary for allowing ELB logs to be stored in the S3 bucket. The focus should be on permissions related to object storage.
Whiles3:DeleteObjectis a valid action, it is not required for log consolidation, and it adds unnecessary permissions. Onlys3:PutObjectis essential for writing logs to the bucket.
Allowings3:PutObjectfor the AppDev, AppTest, and AppProd account IDs is necessary for those accounts to write ELB logs to the central S3 bucket. This permission enables the logging functionality.
While enabling access logging for ELBs is useful, it does not address the requirement for log consolidation into the specified S3 bucket. Logs must be directed to the S3 bucket, but this option does not do that directly.
While enabling server-side encryption is important for security, it is not one of the steps that directly facilitate the consolidation of logs into the S3 bucket. It can be done but is not the focus of the log consolidation mechanism.
I rate that the answer is:
Update the S3 bucket policy for the s3-elb-logs bucket to allow the s3:PutObject action for the AppDev, AppTest, and AppProd account IDs.