Q48 — AWS SCS-C02 Ch.1
Question 48 of 100 | ← Chapter 1
An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
- A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs. ✓
- B. Set the log retention for desired log groups to 7 years. ✓
- C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs. ✓
- D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
- E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
- F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.
Correct Answer: A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs., B. Set the log retention for desired log groups to 7 years., C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
Explanation
该题考察AWS日志管理和自动扩展组的集成方案。AWS文档指出,使用CloudWatch代理(A)可将日志发送到CloudWatch Logs,避免实例终止导致数据丢失。CloudWatch Logs支持设置最长保留时间(B),需手动调整为7年。创建Auto Scaling组时,EC2实例需通过IAM角色(C)获取写入CloudWatch Logs的权限。选项D/E涉及S3存储方案未被题干采纳,F的S3生命周期策略虽技术正确但不符合题干指定的CloudWatch解决方案路径。参考《Amazon CloudWatch用户指南》日志收集与保留策略章节。