Exam AWS Certified Security - Specialty topic 1 question 478 discussion

The IAM role associated with the EC2 instances needs to have the necessary permissions to perform actions on the CloudWatch service, particularly to be able to publish logs to CloudWatch Logs. This can be achieved by modifying the IAM policy attached to the IAM role, granting the required permissions to perform the necessary API actions on CloudWatch. Option B is incorrect because the service-linked role for Amazon EC2 Auto Scaling has pre-defined permissions that cannot be changed. Option C is incorrect because there is no AWS service named "AWS logs". The correct service name is "CloudWatch Logs". Option D is incorrect because the question already mentions that the network communications to AWS services are working properly. So, there's no need to add a VPC endpoint for CloudWatch Logs.

The role being used to push the logs is the one the EC2s are being launched with and not the auto scaling one.

The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. Which is cloudwatch: so B is out

The logs that are not being published to CloudWatch Logs are generated by the Amazon CloudWatch agent. The Amazon CloudWatch agent publishes the logs. It runs on the EC2 instances, so it uses the IAM role. That rules out answer B. The network communications are working properly, so that rules out answer D. The actions needed in the IAM policy start with logs: (note the : ) That rules out answer A. For examples: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#w135aac34c16c15c25c11

C is correct

I think some are being confused because it mentions autoscaling. I'm reading this as what the engineer has to do to ensure the EC2 instances can publish logs to CloudWatch, rather than the Autoscaling service itself. Read: "no logs are being published to CloudWatch Logs for the EC2 instances". Since the IAM role has a policy that "provides access to publish custom metrics to CloudWatch", it would also require access to publish logs. Option *A* is the only one that can do this. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html It seems while you can creat custom roles, you can't amend the permissions for Autoscaling: The permissions of a custom suffix service-linked role are identical to those of the default service-linked role. In both cases, you cannot edit the roles, and you also cannot delete them if they are still in use by an Auto Scaling group. The only difference is the role name suffix. https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html Answer is A

I think the answer is B. Although, service-linked roles can't be adjusted. They have to be deleted (as well as any resources using them) and recreated. https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role

cloudwatch — Create, describe, modify, and delete CloudWatch alarms for scaling policies and retrieve metrics used for predictive scaling. Permissions that service-linked role for Amazon EC2 Auto Scaling has. https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html#service-linked-role-permissions

Answer B

option B: Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs. The service-linked role is automatically created and used by EC2 Auto Scaling to perform certain actions on behalf of the user, such as launching and terminating instances. By default, the service-linked role for EC2 Auto Scaling does not have permissions to write logs to CloudWatch Logs. To enable the EC2 instances in the Auto Scaling group to publish logs to CloudWatch Logs, the security engineer should modify the IAM policy attached to the service-linked role and grant the necessary permissions to write logs. This can be achieved by adding the appropriate logs:CreateLogStream and logs:PutLogEvents actions to the IAM policy.