DOP-C02 Question #26: Real Exam Question with Answer & Explanation

Question

A production account has a requirement that any Amazon EC2 instance that has been logged in to manually must be terminated within 24 hours. All applications in the production account are using Auto Scaling groups with the Amazon CloudWatch Logs agent configured. How can this process be automated?

Options

• ACreate a CloudWatch Logs subscription to an AWS Step Functions application. Configure an
• BCreate an Amazon CloudWatch alarm that will be invoked by the login event. Send the
• CCreate an Amazon CloudWatch alarm that will be invoked by the login event. Configure the alarm
• DCreate a CloudWatch Logs subscription to an AWS Lambda function. Configure the function to

Explanation

Explanation

Option D is correct because CloudWatch Logs subscriptions can stream log data in near-real-time to a Lambda function, which can then parse the login event, tag the EC2 instance, and schedule or directly invoke termination within the required 24-hour window - making this a fully automated, serverless, and event-driven solution perfectly suited for this requirement.

Option A is incorrect because while Step Functions can orchestrate workflows, triggering it via a CloudWatch Logs subscription adds unnecessary complexity compared to Lambda for this straightforward use case; Lambda is the more direct and appropriate target for log-based event processing.

Options B and C are incorrect because CloudWatch Alarms are metric-based, not log-event-based - you cannot directly invoke an alarm from a specific log event like an SSH/RDP login. CloudWatch Logs subscriptions (not alarms) are the correct mechanism to react to log content in real time.

Memory Tip 🧠

Think "Logs → Lambda": When you need to react to specific content inside log files (like a login event), use a CloudWatch Logs Subscription Filter → Lambda. Reserve CloudWatch Alarms for metric thresholds (CPU, latency, etc.), not log content parsing.

No community discussion yet for this question.