Q71 — AWS SOA-C02 Ch.1
Question 71 of 100 | ← Chapter 1
A company runs thousands of Amazon EC2 instances that are based on the Amazon Linux 2 Amazon Machine Image (AMI). A SysOps administrator must implement a solution to record commands and output from any user that needs an interactive session on one of the EC2 instances. The solution must log the data to a durable storage location. The solution also must provide automated notications and alarms that are based on the log data. Which solution will meet these requirements with the MOST operational eciency?
- A. Congure command session logging on each EC2 instance. Configure the unied Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up query lters and alerts by using Amazon Athena.
- B. Require all users to use a central bastion host when they need command line access to an EC2 instance. Configure the unied Amazon CloudWatch agent on the bastion host to send session logs to Amazon CloudWatch Logs. Set up a metric lter and a metric alarm for relevant security ndings in CloudWatch Logs.
- C. Require all users to use AWS Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric lter and a metric alarm for relevant security ndings in CloudWatch Logs. ✓
- D. Congure command session logging on each EC2 instance. Require all users to use AWS Systems Manager Run Command documents when they need command line access to an EC2 instance. Configure the unied Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up CloudWatch alarms that are based on Amazon Athena query results.
Correct Answer: C. Require all users to use AWS Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric lter and a metric alarm for relevant security ndings in CloudWatch Logs.
Explanation
AWS Systems Manager Session Manager提供了无需SSH密钥或堡垒主机的安全实例访问方式,支持会话日志自动上传到Amazon CloudWatch Logs。结合CloudWatch的指标过滤器和警报功能,能够实时监控和分析日志数据,确保日志持久存储并触发自动化通知。选项C利用原生集成减少了手动配置和维护负担,尤其适合大规模EC2实例环境,操作效率最高。[参考:AWS Systems Manager Session Manager文档];其他选项需要额外代理(A、D)或依赖集中式堡垒主机(B),引入更多管理复杂性。