What should the security engineer recommend?
Within the Auto Scaling lifecycle, add a hook to create an attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review.
Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system.
Build the Amazon CloudWatch agent into the AMI used in the Auto Scaling group. Configure the CloudWatch agent to send the logs to Amazon CloudWatch Logs for review.
Within the Auto Scaling lifecycle, add a lifecycle hook at the terminating state transition and alert the engineering team by using a lifecycle notification to Amazon Simple Notification Service (Amazon SNS). Configure the hook to remain in the Terminating:Wait state for 1 hour to allow manual review of the security logs prior to instance termination.
Explanations:
This option recommends attaching an Amazon EBS volume at instance creation and reattaching it upon termination, which doesn’t provide durability or long-term availability. EBS volumes are bound to specific instances and would still risk data loss during scale-in events if the instance is terminated before the volume is properly detached and reattached.
While Amazon EFS is a durable solution for storing logs, the process of copying logs daily from EBS to EFS is prone to data loss if the instance is terminated before the logs are copied. This solution also adds complexity with manual log copying, which is unnecessary given more direct solutions like CloudWatch.
Configuring the CloudWatch agent to send logs to CloudWatch Logs ensures log durability and availability. CloudWatch Logs are a managed service that retains log data for the desired retention period (1 year in this case), and it removes the risk of data loss during scale-in events. This solution is fully automated and scalable.
Although lifecycle hooks with SNS notifications allow manual intervention, this solution introduces delays (up to 1 hour) and requires manual log review. This is inefficient for ensuring the durability and availability of log data, which should be automated and not require manual effort.