Which solution will meet these requirements?
Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with internet access and server-side encryption that uses the default AWS managed customer master key (CMK). Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
Create an Amazon OpenSearch Service (Amazon Elasticsearch Service) domain with VPC access and server-side encryption that uses AES-256. Configure CloudFront to use the Amazon OpenSearch Service (Amazon Elasticsearch Service) domain as a log destination.
Create an Amazon S3 bucket that is configured with default server-side encryption that uses AES-256. Configure CloudFront to use the S3 bucket as a log destination.
Create an Amazon S3 bucket that is configured with no default encryption. Enable encryption in the CloudFront distribution, and use the S3 bucket as a log destination.
Explanations:
Amazon OpenSearch Service cannot be directly used as a log destination for CloudFront, as CloudFront only supports logging to Amazon S3.
Like option A, OpenSearch Service is not a supported destination for CloudFront logs. Additionally, AES-256 encryption is not used directly with OpenSearch Service domains; AWS KMS is typically used for encryption.
Amazon S3 is a supported log destination for CloudFront, and configuring S3 with default server-side encryption (AES-256) ensures data is encrypted at rest as required.
This option lacks server-side encryption by default on the S3 bucket, which does not meet the encryption at rest requirement. Encrypting data solely on the CloudFront side does not suffice for S3 storage requirements.
I weigh that the answer is:
Create an Amazon S3 bucket that is configured with default server-side encryption that uses AES-256. Configure CloudFront to use the S3 bucket as a log destination.