Which combination of steps should the security engineer take to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
An international company has established a new business entity in South Korea.The company also has established a new AWS account to contain the workload for the South Korean region.The company has set up the workload in the new account in the ap-northeast-2 Region.The workload consists of three Auto Scaling groups of Amazon EC2 instances.All workloads that operate in this Region must keep system logs and application logs for 7 years.A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities.The solution also must keep the logs for only the required period of 7 years.

Which combination of steps should the security engineer take to meet these requirements?

(Choose three.)

Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.

Set the log retention for desired log groups to 7 years.

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.

Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.

Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.

Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.

Explanations:

Installing the Amazon CloudWatch agent on EC2 instances allows for the collection and forwarding of system and application logs to Amazon CloudWatch Logs, ensuring that logs are captured even during scaling activities.

Setting the log retention period for CloudWatch log groups to 7 years ensures compliance with the requirement to retain logs for the specified duration, automatically deleting older logs to manage storage costs.

Attaching an IAM role with permissions to forward logs to Amazon CloudWatch Logs enables the EC2 instances to send their logs securely without the need to embed AWS credentials directly in the application.

While attaching an IAM role to provide permissions is important, forwarding logs to Amazon S3 is not required in this scenario, as CloudWatch Logs is sufficient for log management and retention.

Although installing a log forwarding application and sending logs to Amazon S3 could work, it introduces unnecessary complexity since using CloudWatch Logs is a more straightforward solution that meets the requirements.

Implementing a lifecycle policy to expire objects in Amazon S3 after 7 years is not applicable here since the requirement specifies log retention in CloudWatch Logs, not S3.

2025-09-30

1 Comment

  1. Billy
    Author

    As I see it, the answer is:
    Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.

Leave a Reply

Your email address will not be published. Required fields are marked *

16 − thirteen =