AWS Certified SysOps Administrator – Associate — Question 249

A company has a policy that all Amazon EC2 instance logs must be published to Amazon CloudWatch Logs. A SysOps administrator is troubleshooting an EC2 instance that is running Amazon Linux 2. The EC2 instance is not publishing logs to CloudWatch Logs. The Amazon CloudWatch agent is running on the EC2 instance, and the agent configuration file is correct.

What should the SysOps administrator do to resolve the issue?

Answer options

• A. Configure the AWS CLI on the EC2 instance. Create a cron job that calls the PutLogEvents API operation to push the log files to CloudWatch every 5 minutes.
• B. Inspect the retention period of the CloudWatch Logs log group. Ensure that the retention period is set to a value that is greater than 1 day.
• C. Set up an Amazon Kinesis data stream that is running in the same AWS Region as the EC2 instance. Configure the CloudWatch agent on the EC2 instance to send CloudWatch events to the data stream.
• D. Ensure that the IAM role that is attached to the EC2 instance has permissions in CloudWatch Logs for the CreateLogGroup, CreateLogStream, PutLogEvents, and DescribeLogStreams actions.

Correct answer: D

Explanation

The correct answer is D because the IAM role must have the appropriate permissions to allow the EC2 instance to interact with CloudWatch Logs. If the role lacks these permissions, the logs cannot be published. Options A, B, and C do not address the core issue of permission settings required for log publishing.