Which combination of steps should the security engineer take to troubleshoot this issue?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached.A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application.To ensure that the logs flow securely, the company’s networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs.The networking team has attached the endpoints to the VPC.The application is generating logs.However, when the security engineer queries CloudWatch, the logs do not appear.

Which combination of steps should the security engineer take to troubleshoot this issue?

(Choose three.)

Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

Create a metric filter on the logs so that they can be viewed in the AWS Management Console.

Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files.

Check the VPC endpoint policies of both VPC endpoints to ensure that the EC2 instances have permissions to use them.

Create a NAT gateway in the subnet so that the EC2 instances can communicate with CloudWatch.

Ensure that the security groups allow all the EC2 instances to communicate with each other to aggregate logs before sending.

Explanations:

The EC2 instance profile must have the necessary IAM permissions to create log streams and write logs to CloudWatch Logs. If these permissions are not granted, the logs will not be successfully sent to CloudWatch.

The CloudWatch agent configuration file on the EC2 instances must specify the correct log files to be collected. If the agent is misconfigured, it may not capture or send the logs to CloudWatch.

The VPC endpoint policies must allow the EC2 instances to access CloudWatch monitoring and CloudWatch logs. If the endpoint policies are too restrictive, the EC2 instances will be unable to send logs to CloudWatch.

A metric filter is used for creating metrics based on log data, not for troubleshooting log visibility in CloudWatch. It does not help in the context of missing logs.

A NAT gateway is not required since the VPC endpoints already provide private connectivity to CloudWatch services. The EC2 instances do not need to access the internet, as the VPC endpoints handle the communication.

Security groups are not required for EC2 instances to communicate with each other for log aggregation. The logs are sent directly from the CloudWatch agent to CloudWatch services, not through inter-instance communication.

2025-10-02

1 Comment

  1. Justin
    Author

    From what I’ve heard, the answer is:
    Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × 5 =