SCS-C03 · Question #5
SCS-C03 Question #5: Real Exam Question with Answer & Explanation
The correct answer is D: Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.. The Amazon CloudWatch agent requires explicit IAM permissions to create log groups, create log streams, and put log events into Amazon CloudWatch Logs. According to the AWS Certified Security - Specialty Study Guide, the most common cause of CloudWatch agent log delivery failures
Question
A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file. However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance. What should the security engineer do next to resolve the issue?
Options
- AAdd AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail
- BAdd Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the
- CAdd Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of
- DAttach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.
Explanation
The Amazon CloudWatch agent requires explicit IAM permissions to create log groups, create log streams, and put log events into Amazon CloudWatch Logs. According to the AWS Certified Security - Specialty Study Guide, the most common cause of CloudWatch agent log delivery failures is missing or insufficient IAM permissions on the EC2 instance role. The CloudWatchAgentServerPolicy AWS managed policy provides the required permissions, including logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Attaching this policy to the EC2 instance role enables the CloudWatch agent to successfully deliver custom application logs without requiring changes to the application or logging configuration. Options A, B, and C are incorrect because CloudTrail, Amazon S3, and Amazon Inspector are not designed to ingest custom application logs from EC2 instances in this manner. AWS documentation clearly states that IAM permissions must be granted to the EC2 role for CloudWatch Logs ingestion. This approach aligns with AWS best practices for least privilege while ensuring reliable detection and monitoring capabilities.
Community Discussion
No community discussion yet for this question.