nerdexam
ExamsSCS-C02Questions#132
AmazonAmazon

SCS-C02 · Question #132

SCS-C02 Question #132: Real Exam Question with Answer & Explanation

The correct answer is D: Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.. Option D is correct because the CloudWatch agent running on an EC2 instance needs IAM permissions to write logs to CloudWatch - attaching the CloudWatchAgentServerPolicy managed policy to the EC2 instance role grants exactly those permissions (PutLogEvents, CreateLogGroup, Create

Submitted by ashley.k· Mar 6, 2026Identity and Access Management

Question

A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file. However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance. What should the security engineer do next to resolve the issue?

Options

  • AAdd AWS CloudTrail to the trust policy of the EC2 in stance. Send the custom logs to CloudTrail
  • BAdd Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the
  • CAdd Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of
  • DAttach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

Explanation

Option D is correct because the CloudWatch agent running on an EC2 instance needs IAM permissions to write logs to CloudWatch - attaching the CloudWatchAgentServerPolicy managed policy to the EC2 instance role grants exactly those permissions (PutLogEvents, CreateLogGroup, CreateLogStream, etc.). When the agent is installed and configured but logs aren't arriving, a missing IAM policy on the instance role is the most common root cause.

Why the distractors are wrong:

  • A is wrong because CloudTrail records API calls for auditing, not custom application log ingestion - and it's unrelated to fixing a CloudWatch agent permission issue.
  • B is wrong because writing to S3 is an entirely different logging destination, not a fix for CloudWatch, and the scenario doesn't call for S3.
  • C is wrong because Amazon Inspector is a vulnerability assessment service, not a log collection service - it has no role in forwarding application logs.

Memory tip: Think of it as a two-step setup - install the agent (software) and grant the role (permissions). If the agent is running but logs aren't flowing, the missing piece is almost always the IAM policy. The phrase "agent running but no logs" → "check the instance role policy" is a reliable pattern on AWS exams.

Topics

#CloudWatch Agent#IAM Permissions#EC2 Instance Roles#Log Collection Troubleshooting

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SCS-C02 PracticeBrowse All SCS-C02 Questions