Which combination of steps must the DevOps engineer take to meet these requirements?
(Choose three.)
Download the Amazon CloudWatch Logs container instance from AWS. Configure this instance as a task. Update the application service definitions to include the logging task.
Install the Amazon CloudWatch Logs agent on the ECS instances. Change the logging driver in the ECS task definition to awslogs.
Use Amazon EventBridge to schedule an AWS Lambda function that will run every 60 seconds and will run the Amazon CloudWatch Logs create-export-task command. Then point the output to the logging S3 bucket.
Activate access logging on the ALB. Then point the ALB directly to the logging S3 bucket.
Activate access logging on the target groups that the ECS services use. Then send the logs directly to the logging S3 bucket.
Create an Amazon Kinesis Data Firehose delivery stream that has a destination of the logging S3 bucket. Then create an Amazon CloudWatch Logs subscription filter for Kinesis Data Firehose.
Explanations:
Installing the Amazon CloudWatch Logs agent on ECS instances and changing the logging driver toawslogsensures that application logs are sent to CloudWatch Logs, which can be later exported to S3.
Activating access logging on the Application Load Balancer (ALB) and sending it to an S3 bucket allows direct capture of ALB access logs for analysis.
Creating a Kinesis Data Firehose delivery stream with a destination of an S3 bucket and setting up a CloudWatch Logs subscription filter for Firehose ensures near-real-time delivery of logs to S3.
Downloading the CloudWatch Logs container instance and configuring it as a task isn’t a recommended approach for ECS to send logs to S3. ECS tasks typically use CloudWatch logging directly.
Using EventBridge to schedule Lambda to export CloudWatch logs to S3 is a valid solution but not the most efficient or real-time approach compared to direct logging configurations.
Access logging cannot be enabled directly on ECS target groups. It is only applicable to the ALB itself.