AWS Certified Security – Specialty — Question 193

During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs.
Which steps can the Security Engineer take to troubleshoot this issue? (Choose two.)

Answer options

• A. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running.
• B. Log in to the AWS account and select CloudWatch Logs. Check for any monitored EC2 instances that are in the ג€Alertingג€ state and restart them using the EC2 console.
• C. Verify that the EC2 instances have a route to the public AWS API endpoints.
• D. Connect to the EC2 instances that are not sending logs. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic.
• E. Verify that the network access control lists and security groups of the EC2 instances have the access to send logs over SNMP.

Correct answer: A, C

Explanation

Option A is correct because verifying that the CloudWatch Logs agent is running on the EC2 instances is a direct step to identify log transmission issues. Option C is also correct as confirming that the instances can reach the public AWS API endpoints is crucial for log delivery. Option B is incorrect because restarting instances in an alerting state does not address the log sending issue directly. Option D is incorrect since verifying permissions for the Amazon SNS topic is not relevant to CloudWatch log transmission. Option E is incorrect as SNMP is not used for sending CloudWatch logs.