AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 5

A company's CloudOps engineer is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs However, there are no logs in CloudWatch Logs.
What could be blocking the VPC flow logs from being published to CloudWatch Logs?

Answer options

• A. The IAM policy that is attached to the IAM role for the flow log is missing the logs:CreateLogGroup permission.
• B. The IAM policy that is attached to the IAM role for the flow log is missing the logs:CreateExportTask permission.
• C. The VPC is configured for IPv6 addresses.
• D. The VPC is peered with another VPC in the AWS account

Correct answer: A

Explanation

The correct answer is A because if the IAM policy does not include the logs:CreateLogGroup permission, the flow logs cannot create the necessary log group in CloudWatch, preventing logs from being published. Option B is incorrect as the CreateExportTask permission is not required for direct publishing of VPC flow logs to CloudWatch. Options C and D are also irrelevant to the publishing process of flow logs to CloudWatch.