Q85 — AWS SCS-C02 Ch.1

Question 85 of 100 | ← Chapter 1

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application is generating logs. However, when the security engineer queries CloudWatch, the logs do not appear. Which combination of steps should the security engineer take to troubleshoot this issue? (Choose three.)

Correct Answer: A. Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs., C. Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files., D. Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

Explanation

该题涉及VPC环境中CloudWatch日志传输问题的排查。AWS文档指出,使用VPC端点需满足三个条件:正确的IAM权限、正确的代理配置以及VPC端点策略授权。选项A对应IAM角色权限不足场景,若实例配置文件未授予logs:CreateLogStream和logs:PutLogEvents权限,数据无法写入。选项C对应配置错误,例如日志路径错误或配置文件中区域设置不正确可能导致代理无法捕获日志。选项D对应VPC端点策略限制,若端点策略未包含Principal "*"或未授权logs:CreateLogGroup等操作,流量会被拦截。选项E错误,因VPC端点已提供私网连接无需NAT。选项B在日志未到达CloudWatch时无效,选项F的实例间通信与日志传输路径无关。