AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company runs an application on Amazon EC2 Linux instances that are launched by an Auto Scaling group. Operations must collect Apache access logs and memory utilization from every instance, send the data to Amazon CloudWatch, and ensure that any update to the collection settings is applied automatically to new and running instances without storing credentials on the servers. Which solution meets these requirements with the LEAST operational overhead?

Bake the CloudWatch Logs agent and a cron-based script that runs the aws cloudwatch put-metric-data CLI command into the AMI, passing long-lived access keys to the instances with user data. Rebuild the AMI whenever the configuration changes.
Store a CloudWatch agent JSON configuration in Systems Manager Parameter Store. Attach an IAM instance profile that includes AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy in the launch template. Use Systems Manager Run Command with AWS-ConfigureAWSPackage to install the CloudWatch agent and AmazonCloudWatch-ManageAgent to start it, so the agent automatically downloads the configuration and publishes Apache logs and memory metrics.
Turn on AWS CloudTrail management and data events for the account, enable CloudTrail Insights, and create a CloudWatch Logs subscription filter to capture Apache logs and memory metrics.
Enable detailed monitoring on the Auto Scaling group and write a shell script that copies Apache logs to an S3 bucket every five minutes; configure an S3 event to import the logs into CloudWatch Logs.

Report Issue

Answer Description

The unified CloudWatch agent can collect both system-level metrics such as memory utilization and application logs like Apache access logs. By storing the agent's JSON configuration centrally in AWS Systems Manager Parameter Store, any change to the configuration can be fetched when the agent starts or is refreshed, so new and existing Auto Scaling instances stay consistent without rebuilding AMIs. Installing the package with the AWS-ConfigureAWSPackage Run Command document and then starting or reloading it with the AmazonCloudWatch-ManageAgent document lets you push the latest configuration fleet-wide. An instance profile that includes AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy supplies the necessary permissions, so no static credentials are stored on the servers.

The older CloudWatch Logs agent publishes only logs and would still require custom scripts for memory metrics and a manual update process. Copying logs to Amazon S3 and importing them into CloudWatch Logs does not solve in-guest memory monitoring and adds scripting overhead. Enabling CloudTrail and CloudTrail Insights records management and data-plane API events but cannot collect operating-system metrics or web-server log files. Therefore, the Systems Manager-based deployment of the CloudWatch agent is the lowest-maintenance approach.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.