AWS Certified SysOps Administrator – Associate (legacy) — Question 865

A .NET application that you manage is running in Elastic Beanstalk. Your developers tell you they will need access to application log files to debug issues that arise. The infrastructure will scale up and down.
How can you ensure the developers will be able to access only the log files?

Answer options

• A. Access the log files directly from Elastic Beanstalk
• B. Enable log file rotation to S3 within the Elastic Beanstalk configuration
• C. Ask your developers to enable log file rotation in the applications web.config file
• D. Connect to each Instance launched by Elastic Beanstalk and create a Windows Scheduled task to rotate the log files to S3.

Correct answer: D

Explanation

By manually configuring a Windows Scheduled Task on the underlying EC2 instances to push logs to an Amazon S3 bucket, you can restrict developer access solely to that specific S3 bucket using IAM policies. Direct access to Elastic Beanstalk (Option A and Option B) would require granting broader permissions to the Elastic Beanstalk environment itself, which violates the principle of least privilege. Modifying the web.config (Option C) does not inherently handle the secure transport and access control of the log files to an external location.