Q55 — AWS DOP-C02 Ch.1
Question 55 of 100 | ← Chapter 1
A company’s application runs on Amazon EC2 instances. The application writes log files recording user login sessions, dates, durations, and source IP addresses. Logs are published to a log group in Amazon CloudWatch Logs. The company is conducting root cause analysis for an incident that occurred the previous day. The company needs to know how many times a specific user logged in over the past seven days.
- A. Create a CloudWatch Logs metric filter on the log group. Use a filter pattern matching the username. Publish a CloudWatch metric summarizing login counts over the past seven days.
- B. Create a CloudWatch Logs subscription on the log group. Use a filter pattern matching the username. Publish a CloudWatch metric summarizing login counts over the past seven days.
- C. Create a CloudWatch Logs Insights query that uses an aggregation function to count login occurrences for the username over the past seven days. Run the query against the log group. ✓
- D. Create a CloudWatch dashboard. Add a numeric widget with a filter pattern that computes the login count for the username directly from the log group over the past seven days.
Correct Answer: C. Create a CloudWatch Logs Insights query that uses an aggregation function to count login occurrences for the username over the past seven days. Run the query against the log group.
Explanation
CloudWatch Logs Insights is purpose-built for ad hoc log analysis and supports on-demand, flexible querying using aggregation functions (e.g., `stats count() by username`). It directly scans raw log data in the specified time range without requiring preconfigured metrics or infrastructure. Option A (metric filters) and Option B (subscriptions) require prior setup and generate ongoing metrics—unsuitable for one-time, retrospective analysis. Option D is invalid because CloudWatch dashboards display metrics, not raw log queries; widgets cannot execute dynamic log filtering. Therefore, Option C is the only solution that meets the need for immediate, accurate, and flexible historical login counting.