AWS Certified SysOps Administrator – Associate (legacy) — Question 745

A company is hosting a website on an Amazon EC2 instance that runs in a public subnet inside a VPC. The company uses Amazon CloudWatch Logs for web server log analysis.
A SysOps administrator has installed and configured the CloudWatch Logs agent on the EC2 instance and has confirmed that the agent is running. However, logs are not showing up in CloudWatch Logs.
Which solution will resolve this issue?

Answer options

• A. Modify the EC2 instance security group rules to allow inbound traffic on port 80.
• B. Create an IAM user that has the proper permissions for CloudWatch logs. Create an IAM instance profile, and associate it with the IAM user. Associate the instance profile with the EC2 instance.
• C. Create an IAM role that has the proper permissions for CloudWatch logs. Create an IAM instance profile, and associate it with the IAM role. Associate the instance profile with the EC2 instance.
• D. Modify the VPC's network ACL rules for the public subnet to allow inbound traffic on port 80.

Correct answer: B

Explanation

To successfully transmit logs to CloudWatch, the EC2 instance must have the correct IAM permissions configured via an instance profile. Providing these credentials resolves the authorization issue preventing the agent from sending log data. Modifying inbound port 80 rules in security groups or network ACLs will not resolve the issue, as log delivery relies on outbound HTTPS access.