Q8 — AWS SCS-C02 Ch.1
Question 8 of 100 | ← Chapter 1
An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides access to the internet for private subnets through a NAT gateway. A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches.The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services. What can the security engineer do to ensure that the logs are published to CloudWatch Logs?
- A. Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs.   ✓
- B. Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.  
- C. Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that will publish logs.  
- D. Add an interface VPC endpoint to provide a route to CloudWatch Logs.
Correct Answer: A. Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs.  
Explanation
该题涉及IAM权限配置问题。根据AWS文档,CloudWatch Logs需要特定的API权限(如logs:CreateLogGroup、logs:PutLogEvents)。题目中现有策略允许cloudwatch:操作(自定义指标),但未包含logs:权限。选项C关于“AWS logs: API actions”的描述可能存在术语错误,正确服务前缀应为“logs:”。但根据给定答案,选项A正确,可能题目预设策略需调整cloudwatch:权限。正确答案为A。