Exam AWS Certified Security - Specialty topic 1 question 451 discussion

Exam question from Amazon's AWS Certified Security - Specialty

Question #: 451
Topic #: 1

[All AWS Certified Security - Specialty Questions]

An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years.

A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
B. Set the log retention for desired log groups to 7 years.
C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Show Suggested Answer

Suggested Answer: ABC 🗳️

by D2 at Dec. 1, 2022, 7:04 a.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

AdamWest

Highly Voted 2 years, 7 months ago

Selected Answer: ABC

ABC - Agree Cloudwatch logs can be stored for 10 years. Its more expensive than S3 but thats not what the ask it.

upvoted 7 times

...

hro

Most Recent 1 year, 3 months ago

F and B are not valid AWS CloudWatch log retention - Log retention – By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day.

upvoted 1 times

...

MikeRach

1 year, 4 months ago

I appeared for the exam on 02/14/2024 and there were barely 14 questions in the exam from this bank. Folks, please be careful and don’t rely on this question bank. Do your own prep otherwise you will definitely not clear it if you just rely on this alone.

upvoted 2 times

...

createchange

2 years, 4 months ago

Selected Answer: ABC

The answers are separated cleanly. 3 refer to CloudWatch, whereas the other 3 refer to S3. Answer E talks about "periodically bundling the logs" before sending to S3. This does not accomplish ensuring that no logs are lost, as bundling could not have occurred for a period of time before a scale-in event. As such, the answer must be ABC.

upvoted 4 times

...