Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in understanding which AWS services natively support CloudFront logging as a destination and how to ensure logs are encrypted at rest. In production, this is about knowing exactly how CloudFront integrates with backend storage for logs and leveraging AWS encryption features properly. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
RapidTech, a global e-commerce startup, uses Amazon CloudFront distributions to deliver its website content worldwide. The infrastructure team requires that all CloudFront access logs be collected in a centralized location for further analysis and retained for compliance. Additionally, all stored log data must be encrypted at rest, following the company’s security policies. The team needs to select the best AWS service and configuration to meet these requirements efficiently and securely.
The Requirement #
Identify the solution that ensures centralized logging from CloudFront, with all logs encrypted when stored at rest, while meeting best practices for security and operational simplicity.
The Options #
-
A) Create an Amazon OpenSearch Service domain configured for public internet access and enable server-side encryption using the default AWS-managed CMK. Configure CloudFront to send logs directly to the OpenSearch domain.
-
B) Create an Amazon OpenSearch Service domain configured within a VPC and enable server-side encryption using AES-256. Configure CloudFront to send logs directly to the OpenSearch domain.
-
C) Create an Amazon S3 bucket with default server-side encryption enabled using AES-256. Configure CloudFront to deliver logs into this S3 bucket.
-
D) Create an Amazon S3 bucket with no default encryption. Enable encryption within the CloudFront distribution, and configure CloudFront to send logs to this bucket.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The SOA-C02 Imperative #
- For SREs: The key is knowing that CloudFront can only deliver logs directly to S3, not to OpenSearch domains, so options A and B are invalid from the start.
- Enabling default server-side encryption on the S3 bucket ensures compliance automatically and transparently.
- Option D is incorrect because CloudFront does not provide encryption-at-rest settings — storage encryption must be enforced on the S3 side.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
CloudFront natively supports delivering its access logs only to Amazon S3 buckets—not directly to OpenSearch Service domains. Option C correctly creates an S3 bucket with default server-side encryption enabled using AES-256 (SSE-S3), which is AWS managed and meets encryption at rest requirements transparently. This ensures logs are encrypted as soon as they are written to S3 without requiring additional configuration in CloudFront.
The Trap (Distractor Analysis): #
-
Why not Option A? OpenSearch domains do support encryption, but CloudFront cannot send logs directly to an OpenSearch cluster. Also, supporting public internet access is a security risk for sensitive logs.
-
Why not Option B? Even with VPC access and encryption, the key blocker is CloudFront’s inability to target an OpenSearch Service domain for logging.
-
Why not Option D? CloudFront does not offer encryption toggles for logs—it relies on the destination storage’s encryption. An unencrypted S3 bucket would violate the encryption requirement.
The Technical Blueprint #
# CLI snippet to create S3 bucket with default AES-256 encryption to be used as CloudFront log destination
aws s3api create-bucket --bucket rapidtech-cf-logs --region us-east-1
aws s3api put-bucket-encryption --bucket rapidtech-cf-logs --server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}'
# Then configure CloudFront logging (via console or AWS CLI) to send logs to this S3 bucket
The Comparative Analysis #
| Option | Operational Overhead | Encryption Support | CloudFront Log Destination Support | Security Posture | Comments |
|---|---|---|---|---|---|
| A | Medium | AWS-managed CMK | No | Weak (public access) | CloudFront Cannot deliver logs to OpenSearch domains |
| B | High (VPC Management) | AES-256 | No | Good (VPC restricted) | Same limitation as A; extra VPC complexity |
| C | Low | AES-256 (SSE-S3) | Yes | Good | Best practice: native CloudFront logging destination with encryption |
| D | Low | None by default | Yes | Poor | Does not meet encryption-at-rest requirement |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the SOA-C02 exam, always choose Amazon S3 as the native log storage destination when working with CloudFront logging requirements, especially when encryption at rest is mandated.”
Real World #
“In production, you might integrate S3 event notifications with Lambda functions or OpenSearch ingestion pipelines if real-time analysis is required–but the logging destination remains S3 to start.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.