AWS Certified Security – Specialty — Question 458

A systems engineer deployed containers from several custom-built images that an application team provided through a QA workflow. The systems engineer used Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type as the target platform. The system engineer now needs to collect logs from all containers into an existing Amazon CloudWatch log group.

Which solution will meet this requirement?

Answer options

• A. Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region in the LogConfiguration property.
• B. Download and configure the CloudWatch agent on the container instances.
• C. Set up Fluent Bit and FluentD as a DaemonSet to send logs to Amazon CloudWatch Logs.
• D. Configure an IAM policy that includes the logs:CreateLogGroup action. Assign the policy to the container instances.

Correct answer: A

Explanation

When using the Fargate launch type with Amazon ECS, the standard and native method to stream container logs to Amazon CloudWatch is to configure the awslogs log driver within the task definition's LogConfiguration property. Because Fargate is a serverless container environment, there are no underlying container instances for users to manage, install agents on, or assign IAM policies to directly. Additionally, DaemonSets are a Kubernetes concept and are not applicable to Amazon ECS.