Option B is correct because CloudWatch Logs subscription filters are the native way to send only matching log events to a downstream destination such as Amazon Data Firehose. AWS states that a subscription filter defines the filter pattern for which log events get delivered and where they are sent. AWS also documents that CloudWatch Logs events can be sent to Firehose by using subscription filters. This directly satisfies the requirement to deliver only relevant logs. Once the logs are in Firehose, AWS documents that Firehose can invoke an AWS Lambda function to transform incoming source data before delivering it to the destination, which satisfies the requirement to deliver the logs in a compatible format for analysis.

Option A is incorrect because S3 bucket rules do not filter CloudWatch log events by timestamp for ingestion control, and using S3 triggers adds unnecessary post-delivery processing. Option C is invalid because the subscription filter applies at the CloudWatch Logs log group, not by “monitoring the Firehose stream.” Option D is incorrect because Firehose does not natively ingest only CloudWatch log groups based on tags or automatically reformat arbitrary logs without a transformation step. The most reliable and AWS-native design is subscription filtering + Firehose + Lambda transformation.