AWS Certified SysOps Administrator – Associate — Question 473

A company observes that a newly created Amazon CloudWatch alarm is not transitioning out of the INSUFFICIENT_DATA state. The alarm was created to track the mem_used_percent metric from an Amazon EC2 instance that is deployed in a public subnet.

A review of the EC2 instance shows that the unified CloudWatch agent is installed and is running. However, the metric is not available in CloudWatch. A SysOps administrator needs to implement a solution to resolve this problem.

Which solution will meet these requirements?

Answer options

• A. Enable CloudWatch detailed monitoring for the EC2 instance
• B. Create an IAM instance profile that contains CloudWatch permissions. Add the instance profile to the EC2 instance
• C. Migrate the EC2 instance into a private subnet
• D. Create an IAM user that has an access key ID and a secret access key. Update the unified CloudWatch agent configuration file to use those credentials

Correct answer: B

Explanation

To allow the unified CloudWatch agent to publish custom OS-level metrics like mem_used_percent to CloudWatch, the EC2 instance must be granted the appropriate permissions, which is securely achieved by attaching an IAM instance profile containing the CloudWatchAgentServerPolicy. Detailed monitoring (Option A) only increases the frequency of default hypervisor-level metrics and does not grant permission for custom agent metrics. Using static IAM user credentials (Option D) is a security risk and is not the recommended best practice compared to using IAM roles.