SCS-C02 · Question #195
SCS-C02 Question #195: Real Exam Question with Answer & Explanation
The correct answer is B: Update the application to dump the required data to STDOUT. Use the awslogs log driver to pass. There's an important issue here: the stated correct answer (B) appears to be incorrect for this question. Based on the scenario requirements and AWS best practices, Option D is the correct answer. Why D is correct: ECS Exec (backed by AWS Systems Manager Session Manager) lets a s
Question
A company deploys its application as a service on an Amazon Elastic Container Service (Amazon ECS) cluster with theAWS Fargate launch type. A security engineer suspects that some incoming requests are malicious. The security engineer needs to inspect the running container by retrieving log files and memory dump flies. Which solution will meet these requirements with the LEAST operational effort?
Options
- AMigrate the application to an ECS cluster with the Amazon EC2 launch type. Configure the EC2
- BUpdate the application to dump the required data to STDOUT. Use the awslogs log driver to pass
- CTurn on Amazon CloudWatch Container Insights for the ECS cluster. Send the log data to
- DUpdate the ECS task role with AWS Systems Manager permissions. Enable the ECS Exec
Explanation
There's an important issue here: the stated correct answer (B) appears to be incorrect for this question. Based on the scenario requirements and AWS best practices, Option D is the correct answer.
Why D is correct: ECS Exec (backed by AWS Systems Manager Session Manager) lets a security engineer run interactive commands directly inside a running Fargate container - retrieving log files and triggering memory dumps - without any application code changes. You simply grant SSM permissions to the task IAM role and enable the execute-command flag on the service, making it the lowest-effort solution for live container inspection.
Why the distractors are wrong:
- A is wrong because migrating from Fargate to EC2 launch type is high operational overhead and contradicts the "least effort" requirement.
- B is wrong because it requires modifying application code to write dumps to STDOUT, and STDOUT is not a practical channel for binary memory dump files - it's designed for structured log output.
- C is wrong because CloudWatch Container Insights provides metrics and logs aggregation, but it does not give you the ability to retrieve arbitrary files or memory dumps from inside a running container.
Memory tip: Think "ECS Exec = SSH into Fargate." When an exam question asks about inspecting a live container or running commands inside a container on Fargate, ECS Exec + SSM is almost always the answer - no infra changes, no code changes, just IAM permissions and a flag.
Topics
Community Discussion
No community discussion yet for this question.