exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 125 discussion

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC The VPC provides access to the internet for private subnets through a NAT gateway.

A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services.

What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

  • A. Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs.
  • B. Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.
  • C. Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that will publish logs.
  • D. Add an interface VPC endpoint to provide a route to CloudWatch Logs.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
IPLogic
3 days, 14 hours ago
Selected Answer: C
To ensure that the logs are published to CloudWatch Logs, the security engineer should take the following steps: Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that will publish logs. This ensures that the IAM role has the necessary permissions to interact with CloudWatch Logs. Therefore, the correct answer is C. This approach ensures that the IAM role has the appropriate permissions to publish logs to CloudWatch Logs, resolving the issue of logs not being published.
upvoted 1 times
IPLogic
3 days, 14 hours ago
Option A suggests configuring the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs. However, the correct API actions required for publishing logs to CloudWatch Logs are actually under the logs: namespace, not cloudwatch:. This is a crucial distinction because the cloudwatch: actions are related to CloudWatch metrics and alarms, whereas the logs: actions are specifically for managing and publishing logs. To ensure that the logs are published to CloudWatch Logs, the IAM policy must include permissions for actions such as logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams1. Therefore, option C is correct because it specifies the necessary logs: API actions, ensuring that the IAM role has the appropriate permissions to publish logs to CloudWatch Logs.
upvoted 1 times
...
...
ericxw
3 weeks ago
Selected Answer: C
"What API calls does the agent make (or what actions should I add to my IAM policy)?" https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html#:~:text=What%20API%20calls%20does%20the%20agent%20make%20(or%20what%20actions%20should%20I%20add%20to%20my%20IAM%20policy)%3F
upvoted 1 times
...
mzeynalli
3 weeks, 6 days ago
Selected Answer: A
Option C: The correct actions to publish logs are under the `cloudwatch:` namespace, not `aws logs:`; hence this option is misleading and incorrect.
upvoted 2 times
...
DSExam
1 month ago
Selected Answer: C
C is right, see below All CloudWatch Logs actions (logs:*)
upvoted 1 times
...
pagom
1 month, 1 week ago
Selected Answer: C
cloudwatch: API is different logs: API
upvoted 1 times
...
div05jkjl
1 month, 3 weeks ago
Selected Answer: C
C is correct
upvoted 1 times
...
Lingo43
3 months ago
Selected Answer: C
The scenario describes that the CloudWatch agent is running, the network is working, and the IAM role already has permissions to publish custom metrics. This suggests that the issue lies in the IAM permissions related specifically to publishing logs. The CloudWatch Logs agent needs permissions to interact with the CloudWatch Logs service, which is governed by the logs: API actions.
upvoted 2 times
...
xTrayusx
4 months, 1 week ago
Selected Answer: C
C, it's logs:* actions
upvoted 1 times
helloworldabc
2 months, 3 weeks ago
just A
upvoted 1 times
...
...
navid1365
4 months, 2 weeks ago
Selected Answer: A
A is correct.
upvoted 1 times
...
1923
4 months, 2 weeks ago
chatgpt saids "D"
upvoted 1 times
...
aescudero51
6 months ago
Selected Answer: A
My answer is A https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchFullAccess.html
upvoted 2 times
...
Certified101
6 months, 3 weeks ago
Selected Answer: A
Must be A - it states that the networking is fine in this scenario.
upvoted 1 times
...
Zek
6 months, 4 weeks ago
A The problem is with the ec2 instance not being able to publish logs from the cloudwatch agent running on the instance and not really to do with the autoscaling service role. The auto scaling service role will instead require the following Create, describe, modify, and delete CloudWatch alarms for scaling policies and retrieve metrics used for predictive scaling. https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html#service-linked-role-permissions
upvoted 3 times
...
danish1234
7 months ago
Selected Answer: A
A is the answer . have to check IAM roles used by ec2.
upvoted 3 times
...
krishnavamshireddy
7 months ago
Answer is D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago