Which combination of steps must the DevOps engineer take to meet these requirements?

By:
In: DOP-C01
Tagged:
With: 1 Comment
A company is implementing an Amazon Elastic Container Service (Amazon ECS) cluster to run its workload.The company architecture will run multiple ECS services on the cluster.The architecture includes an Application Load Balancer on the front end and uses multiple target groups to route traffic.A DevOps engineer must collect application and access logs.The DevOps engineer then needs to send the logs to an Amazon S3 bucket for near-real-time analysis.

Which combination of steps must the DevOps engineer take to meet these requirements?

(Choose three.)

Download the Amazon CloudWatch Logs container instance from AWS. Configure this instance as a task. Update the application service definitions to include the logging task

Install the Amazon CloudWatch Logs agent on the ECS instances. Change the logging driver in the ECS task definition to awslogs.

Use Amazon EventBridge to schedule an AWS Lambda function that will run every 60 seconds and will run the Amazon CloudWatch Logs create-export-task command. Then point the output to the logging S3 bucket.

Activate access logging on the ALB. Then point the ALB directly to the logging S3 bucket.

Activate access logging on the target groups that the ECS services use. Then send the logs directly to the logging S3 bucket.

Create an Amazon Kinesis Data Firehose delivery stream that has a destination of the logging S3 bucket. Then create an Amazon CloudWatch Logs subscription filter for Kinesis Data Firehose.

Explanations:

Installing the CloudWatch Logs agent on the ECS instances and changing the logging driver in the ECS task definition toawslogsallows application logs to be sent to CloudWatch Logs, which can then be exported to S3.

Enabling access logging on the Application Load Balancer (ALB) and directing the logs to an S3 bucket allows for near-real-time logging of access requests made to the ALB, which meets the logging requirement.

Creating a Kinesis Data Firehose delivery stream with an S3 bucket as the destination and setting up a CloudWatch Logs subscription filter allows for near-real-time log delivery from CloudWatch Logs to S3.

The Amazon CloudWatch Logs container instance is not needed; the ECS task itself can be configured to use CloudWatch Logs directly.

Using Amazon EventBridge to schedule an AWS Lambda function to export CloudWatch Logs to S3 is unnecessary and adds complexity, as simpler solutions like direct CloudWatch Logs integration with S3 exist.

Target groups do not support access logging in Amazon ECS; access logs must be activated on the ALB itself, not the target groups.

2025-10-04

1 Comment

  1. Julie
    Author

    I draft that the answer is:
    Install the Amazon CloudWatch Logs agent on the ECS instances. Change the logging driver in the ECS task definition to awslogs.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − 10 =