AWS Certified SysOps Administrator – Associate — Question 373

A company's SysOps administrator is troubleshooting communication between the components of an application. The company configured VPC flow logs to be published to Amazon CloudWatch Logs. However, there are no logs in CloudWatch Logs.

What could be blocking the VPC flow logs from being published to CloudWatch Logs?

Answer options

• A. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateLogGroup permission
• B. The IAM policy that is attached to the IAM role for the flow log is missing the logs CreateExportTask permission
• C. The VPC is configured for IPv6 addresses
• D. The VPC is peered with another VPC in the AWS account

Correct answer: A

Explanation

To publish VPC flow logs to Amazon CloudWatch Logs, the associated IAM role must have permissions to create log groups, which requires the logs:CreateLogGroup action. If this permission is missing, the flow logs cannot be initialized or published. Other options, such as logs:CreateExportTask or VPC configurations like IPv6 and peering, do not block the delivery of flow logs to CloudWatch.