ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 125 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 125
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC The VPC provides access to the internet for private subnets through a NAT gateway.

A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services.

What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

  • A. Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs.
  • B. Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.
  • C. Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that will publish logs.
  • D. Add an interface VPC endpoint to provide a route to CloudWatch Logs.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by krishnavamshireddy at May 9, 2024, 7:35 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
maneeshsharma
3 days ago
Selected Answer: C
Here's why: The EC2 instances are trying to send logs to CloudWatch Logs. CloudWatch Logs uses the logs:* set of API actions (like logs:CreateLogStream, logs:PutLogEvents, logs:CreateLogGroup, etc.). The current IAM role only grants permission for custom metrics (cloudwatch:* permissions), not for logs. To allow the CloudWatch agent to publish logs, the EC2 instance needs permissions for logs: API actions.
upvoted 1 times
...
mnsait
1 week, 2 days ago
Selected Answer: A
A is correct A - AWS Logs?? What's that? B - Service linked role, not related to this issue D- VPC Endpoint is not needed for connectivity since NAT Gateway does the job, although more expensive, but for the question, this is not an issue
upvoted 1 times
...
Kaps443
1 week, 5 days ago
Selected Answer: C
The CloudWatch Agent uses CloudWatch Logs APIs (like logs:PutLogEvents, logs:CreateLogStream, and logs:CreateLogGroup) to publish logs. The issue here is that the IAM policy attached to the EC2 instance only has permissions to publish custom metrics, which use cloudwatch: actions (like cloudwatch:PutMetricData) — not for CloudWatch Logs.
upvoted 1 times
...
itsjunukim
2 weeks, 4 days ago
Selected Answer: C
"Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ],
upvoted 1 times
...
phmeeeee
3 weeks, 3 days ago
Selected Answer: C
I vote for C cuz cloudwatch api is for METRIC not the logs. The qestion is asking to solveing that can't put the logs. So to verify logs api is my answer. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html
upvoted 1 times
...
fcbflo
1 month, 3 weeks ago
Selected Answer: C
Option A is incorrect because it specifies "cloudwatch:" API actions, but CloudWatch Logs uses a different set of API permissions. The CloudWatch service (for metrics) and CloudWatch Logs service use different API namespaces: CloudWatch metrics use the "cloudwatch:" API namespace CloudWatch Logs use the "logs:" API namespace The problem states that the IAM policy already provides access to publish custom metrics to CloudWatch (which uses the cloudwatch: namespace), but logs aren't being published to CloudWatch Logs. This indicates that the permissions for the logs: namespace are missing. Therefore, option C (configuring the IAM policy to include the required logs: API actions) is the correct solution, not option A.
upvoted 2 times
...
AWSLoverLoverLoverLoverLover
2 months, 1 week ago
Selected Answer: A
A. Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs. (Most Voted) Explanation: IAM Permissions Issue: Since the CloudWatch agent is running properly, the issue is likely related to insufficient IAM permissions for the EC2 instances' IAM role. Correct CloudWatch API Actions B. Adjust the Auto Scaling service-linked role ❌ → The Auto Scaling service-linked role does not affect CloudWatch Logs; it is only needed for managing EC2 instances. C. Configure the IAM policy for AWS logs: API actions ❌ → AWS Logs is not a valid service namespace; the CloudWatch agent requires logs: and cloudwatch: API actions. D. Add a VPC Endpoint ❌ → The question states that network communications are working fine via the NAT gateway, so connectivity to CloudWatch is not an issue.
upvoted 3 times
mnsait
1 week, 2 days ago
Good explanation
upvoted 1 times
...
...
IPLogic
4 months, 3 weeks ago
Selected Answer: C
To ensure that the logs are published to CloudWatch Logs, the security engineer should take the following steps: Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that will publish logs. This ensures that the IAM role has the necessary permissions to interact with CloudWatch Logs. Therefore, the correct answer is C. This approach ensures that the IAM role has the appropriate permissions to publish logs to CloudWatch Logs, resolving the issue of logs not being published.
upvoted 1 times
IPLogic
4 months, 3 weeks ago
Option A suggests configuring the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs. However, the correct API actions required for publishing logs to CloudWatch Logs are actually under the logs: namespace, not cloudwatch:. This is a crucial distinction because the cloudwatch: actions are related to CloudWatch metrics and alarms, whereas the logs: actions are specifically for managing and publishing logs. To ensure that the logs are published to CloudWatch Logs, the IAM policy must include permissions for actions such as logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, and logs:DescribeLogStreams1. Therefore, option C is correct because it specifies the necessary logs: API actions, ensuring that the IAM role has the appropriate permissions to publish logs to CloudWatch Logs.
upvoted 1 times
...
...
ericxw
5 months, 2 weeks ago
Selected Answer: C
"What API calls does the agent make (or what actions should I add to my IAM policy)?" https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html#:~:text=What%20API%20calls%20does%20the%20agent%20make%20(or%20what%20actions%20should%20I%20add%20to%20my%20IAM%20policy)%3F
upvoted 1 times
...
mzeynalli
5 months, 3 weeks ago
Selected Answer: A
Option C: The correct actions to publish logs are under the `cloudwatch:` namespace, not `aws logs:`; hence this option is misleading and incorrect.
upvoted 2 times
...
DSExam
6 months ago
Selected Answer: C
C is right, see below All CloudWatch Logs actions (logs:*)
upvoted 1 times
...
pagom
6 months ago
Selected Answer: C
cloudwatch: API is different logs: API
upvoted 1 times
...
div05jkjl
6 months, 2 weeks ago
Selected Answer: C
C is correct
upvoted 1 times
...
Lingo43
7 months, 4 weeks ago
Selected Answer: C
The scenario describes that the CloudWatch agent is running, the network is working, and the IAM role already has permissions to publish custom metrics. This suggests that the issue lies in the IAM permissions related specifically to publishing logs. The CloudWatch Logs agent needs permissions to interact with the CloudWatch Logs service, which is governed by the logs: API actions.
upvoted 2 times
...
xTrayusx
9 months ago
Selected Answer: C
C, it's logs:* actions
upvoted 1 times
helloworldabc
7 months, 2 weeks ago
just A
upvoted 1 times
...
...
navid1365
9 months, 1 week ago
Selected Answer: A
A is correct.
upvoted 1 times
...
1923
9 months, 1 week ago
chatgpt saids "D"
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago