Table of Contents
Question
A company has a policy that all Amazon EC2 instance logs must be published to Amazon CloudWatch Logs. A SysOps administrator is troubleshooting an EC2 instance that is running Amazon Linux 2. The EC2 instance is not publishing logs to CloudWatch Logs. The Amazon CloudWatch agent is running on the EC2 instance, and the agent configuration file is correct. What should the SysOps administrator do to resolve the issue?
A. Configure the AWS CLI on the EC2 instance. Create a cron job that calls the PutLogEvents API operation to push the log files to CloudWatch every 5 minutes.
B. Inspect the retention period of the CloudWatch Logs log group. Ensure that the retention period is set to a value that is greater than 1 day.
C. Set up an Amazon Kinesis data stream that is running in the same AWS Region as the EC2 instance. Configure the CloudWatch agent on the EC2 instance to send CloudWatch events to the data stream.
D. Ensure that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions.
Answer
D. Ensure that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions.
Explanation
The correct answer is D. Ensure that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions.
Explanation:
To publish EC2 instance logs to CloudWatch Logs, you need to install and configure the CloudWatch agent on the EC2 instance. The CloudWatch agent is a software that collects and sends log data from your EC2 instance to CloudWatch Logs. The agent configuration file specifies which log files and metrics you want to collect and send.
However, installing and configuring the CloudWatch agent is not enough. You also need to ensure that the EC2 instance has the necessary permissions to interact with CloudWatch Logs. This is done by attaching an IAM role to the EC2 instance that grants the required permissions. The IAM role is a set of policies that define what actions and resources the EC2 instance can access in AWS.
The minimum permissions that the EC2 instance needs to publish logs to CloudWatch Logs are:
- CreateLogGroup: This permission allows the EC2 instance to create a log group in CloudWatch Logs. A log group is a collection of log streams that share the same retention, monitoring, and access control settings.
- CreateLogStream: This permission allows the EC2 instance to create a log stream in CloudWatch Logs. A log stream is a sequence of log events that belong to the same source, such as an application or a service.
- PutLogEvents: This permission allows the EC2 instance to send log events to CloudWatch Logs. A log event is a record of some activity that occurred on your EC2 instance, such as an error message or a status update.
- DescribeLogStreams: This permission allows the EC2 instance to list and retrieve information about the log streams in CloudWatch Logs.
Option A is incorrect because configuring the AWS CLI on the EC2 instance and creating a cron job that calls the PutLogEvents API operation is not necessary for publishing logs to CloudWatch Logs. The CloudWatch agent already handles this task automatically. Moreover, this option would require additional configuration and maintenance, and may not be as reliable or efficient as using the agent.
Option B is incorrect because inspecting the retention period of the CloudWatch Logs log group is not relevant for publishing logs to CloudWatch Logs. The retention period is the amount of time that CloudWatch Logs keeps your log events before deleting them. It does not affect the ability of your EC2 instance to send logs to CloudWatch Logs.
Option C is incorrect because setting up an Amazon Kinesis data stream and configuring the CloudWatch agent to send CloudWatch events to it is not required for publishing logs to CloudWatch Logs. Amazon Kinesis is a service that allows you to collect, process, and analyze streaming data in real time. CloudWatch events are different from CloudWatch logs, as they are notifications of changes in your AWS resources or services. You can use Amazon Kinesis and CloudWatch events for advanced monitoring and analysis purposes, but they are not necessary for sending logs from your EC2 instance to CloudWatch Logs.
Option D is correct because ensuring that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions is a necessary step for publishing logs to CloudWatch Logs. Without these permissions, your EC2 instance will not be able to create or access log groups or streams, or send or receive log events. You can use the AWS Management Console, the AWS CLI, or the AWS SDKs to attach an IAM role with these permissions to your EC2 instance.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.