AWS Certified SysOps Administrator – Associate — Question 474

A company recently moved its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch Logs to track the instance logs.

What should a SysOps administrator do to meet this requirement in compliance with AWS best practices?

Answer options

• A. Configure CloudWatch from the AWS Management Console for the instances. Wait for AWS to automatically install and configure the agents for the instances
• B. Install and configure the CloudWatch agent on the instances. Attach an IAM role to allow the instances to write logs to CloudWatch
• C. Install and configure the CloudWatch agent on the instances. Attach an IAM user to allow the instances to write logs to CloudWatch
• D. Install and configure the CloudWatch agent on the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch

Correct answer: B

Explanation

To send logs from Amazon EC2 instances to Amazon CloudWatch Logs, the CloudWatch agent must be manually installed and configured on the instances, and an IAM role with the necessary permissions must be attached to the instances. Using IAM roles is an AWS best practice for EC2 instances to access AWS services securely, rather than hardcoding IAM user credentials. Security groups control network traffic but do not grant authorization permissions, and AWS does not automatically install the CloudWatch agent.