What should a SysOps administrator do to meet this requirement in compliance with AWS best practices?
Configure CloudWatch from the AWS Management Console for the instances. Wait for AWS to automatically install and configure the agents for the instances
Install and configure the CloudWatch agent on the instances. Attach an IAM role to allow the instances to write logs to CloudWatch
Install and configure the CloudWatch agent on the instances. Attach an IAM user to allow the instances to write logs to CloudWatch
Install and configure the CloudWatch agent on the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch
Explanations:
AWS does not automatically install and configure the CloudWatch agent on EC2 instances. The administrator must manually install and configure the agent on each instance.
This option meets AWS best practices. Installing and configuring the CloudWatch agent on the instances allows for log collection. Attaching an IAM role with the necessary permissions allows the instances to write logs to CloudWatch securely.
IAM users are not designed for use with EC2 instances in this context. An IAM role, which is specifically intended for granting permissions to AWS resources, should be used instead of an IAM user.
While security groups are important for network access, they do not control permissions for writing logs to CloudWatch. The correct approach is to use an IAM role, not security groups, for granting permissions to write logs.
I would say the answer is:
Install and configure the CloudWatch agent on the instances. Attach an IAM role to allow the instances to write logs to CloudWatch