AWS Certified SysOps Administrator – Associate (legacy) — Question 704

A SysOps Administrator found that a newly-deployed Amazon EC2 application server is unable to connect to an existing Amazon RDS database. After enabling
VPC Flow Logs and confirming that the flow log is active on the console, the log group cannot be located in Amazon CloudWatch.
What are the MOST likely reasons for this situation? (Choose two.)

Answer options

• A. The Administrator must configure the VPC Flow Logs to have them sent to AWS CloudTrail.
• B. The Administrator has waited less than ten minutes for the log group to be created in CloudWatch.
• C. The account VPC Flow Logs have been disabled by using a service control policy.
• D. No relevant traffic has been sent since the VPC Flow Logs were created
• E. The account has Amazon GuardDuty enabled.

Correct answer: A, D

Explanation

Amazon CloudWatch Logs does not provision a log group for VPC Flow Logs until traffic that matches the flow log criteria is actually transmitted, meaning that if no relevant traffic has occurred, the log group will not appear (Option D). Additionally, administrative configurations or integrations with tracking services like AWS CloudTrail must be correctly aligned for flow logging pipelines to function as expected under specific organizational compliance constraints (Option A). Other factors, such as waiting periods or GuardDuty activation, do not directly prevent the creation of the log group in CloudWatch.