An international company has established a new business entity in South Korea. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A. Ensure that the Amazon CloudWatch agent is installed on all the EC2 instances that the Auto Scaling groups launch. Generate a CloudWatch agent configuration file to forward the required logs to Amazon CloudWatch Logs.
B. Set the log retention for desired log groups to 7 years.
C. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon CloudWatch Logs.
D. Attach an IAM role to the launch configuration or launch template that the Auto Scaling groups use. Configure the role to provide the necessary permissions to forward logs to Amazon S3.
E. Ensure that a log forwarding application is installed on all the EC2 instances that the Auto Scaling groups launch. Configure the log forwarding application to periodically bundle the logs and forward the logs to Amazon S3.
F. Configure an Amazon S3 Lifecycle policy on the target S3 bucket to expire objects after 7 years.
ABC
一家跨国公司在韩国设立了新的业务实体。该公司还设立了一个新的 AWS 账户,用于承载韩国地区的业务负载。公司在新账户的 ap-northeast-2区域设置了业务负载。该业务负载由三个 Amazon EC2实例的 Auto Scaling 组组成。在此区域运行的所有业务负载必须保留系统日志和应用程序日志7年。安全工程师必须实施一个解决方案,以确保在缩放活动期间每个实例的日志数据不会丢失。该解决方案还必须仅将日志保留所需的7年期限。
如何确保 Auto Scaling 组中的 EC2实例在缩放过程中日志不丢失,并满足7年日志保留要求?
需在 EC2实例上安装日志收集工具(如 CloudWatch Agent),将日志实时传输至集中存储服务(如 CloudWatch Logs 或 S3)。
需确保日志传输权限配置正确,避免因权限不足导致日志丢失。
需确保角色权限最小化,仅授予必要的日志写入权限。
技巧:排除明显错误选项,在没有明显错误的选项中选择最合理的选项。
A. 正确。确保在 Auto Scaling 组启动的所有 EC2实例上安装 Amazon CloudWatch 代理。生成 CloudWatch 代理配置文件以将所需日志转发到 Amazon CloudWatch Logs。安装 CloudWatch 代理可实现日志实时收集与传输,满足缩放过程中日志不丢失的要求,是必要步骤。
B. 正确。将所需日志组的日志保留期设置为7年。CloudWatch Logs 支持自定义保留期限,设置为7年可直接满足合规要求,是必要步骤。
C. 正确。将 IAM 角色附加到 Auto Scaling 组使用的启动配置或启动模板上。配置该角色以提供将日志转发到 Amazon CloudWatch Logs 所需的权限。附加 IAM 角色并配置 CloudWatch Logs 写入权限,确保实例在缩放时能持续传输日志,是必要步骤。
D. 不正确。将 IAM 角色附加到 Auto Scaling 组使用的启动配置或启动模板上。配置该角色以提供将日志转发到 Amazon S3所需的权限。虽可实现日志传输至 S3,但题目未明确要求使用 S3作为日志存储,且需额外配置 Lifecycle 策略,非最优选择。
E. 不正确。确保在 Auto Scaling 组启动的所有 EC2实例上安装日志转发应用程序。配置日志转发应用程序以定期捆绑日志并将日志转发到 Amazon S3。依赖第三方日志转发应用增加复杂性,且需额外维护,不如 CloudWatch 代理集成度高,非首选方案。
F. 不正确。在目标 S3存储桶上配置 Amazon S3 Lifecycle 策略,使对象在7年后过期。若选择 S3作为日志存储,此步骤可确保日志保留7年后自动删除,但题目未明确要求使用 S3,非必要步骤。
日志存储与保留:CloudWatch Logs 支持自定义日志组保留期限,可设置为7年以满足合规要求。
IAM 权限管理:Auto Scaling 组的启动配置或启动模板需附加 IAM 角色,授予实例向 CloudWatch Logs 写入日志的权限。