Customized Log Collection for EC2 Instances in Private Subnets | AWS Security Specialty Exam

Configure Private Connections for CloudWatch Logs in VPCs

Prev Question Next Question

Question

Your company's security policies require that EC2 instances in the VPCs should send customized logs to CloudWatch Logs through private connections without being exposed to the internet. The EC2 instances are currently located in private subnets, and they can connect to the internet through NAT gateways in public subnets. Which of the following actions would you take to meet the security requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because CloudWatch Log Groups cannot be associated with a VPC subnet.

Option B is CORRECT because users can create a VPC endpoint for the CloudWatch Logs service to establish a private connection.

You can establish a private connection between the VPC and CloudWatch Logs via an interface VPC endpoint to meet the security requirements.

Option C is incorrect because a NAT gateway is used to route traffic to the internet from a private subnet.

It cannot provide a connection route within the AWS network for different services to connect.

Option D is incorrect because you cannot attach any security groups to CloudWatch Logs.

VPC endpoints use VPC endpoint policies to control access.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html.
Create Endpoint AVPC endpoint allows you to securely connect your VPC to another service. An interface endpoint is powered by PrivateLink, and uses an elastic network interface (ENl) as an entry point for traffic destined to the service. A gateway endpoint serves as a target for a route in your route table for traffic destined for the service. © AWS services © Find service by name © Your AWS Marketplace services Service category Service Name Enter private service name and verify. @ com.amazonaws.ap-southeast-2.logs Service name found. Verify

The correct answer is B. Create a VPC Endpoint for CloudWatch Logs (com.amazonaws.Region.logs). The EC2 logs are sent to CloudWatch Logs through a private connection.

Explanation: To meet the security requirements of sending EC2 instance logs to CloudWatch Logs through a private connection without being exposed to the internet, we need to use a VPC endpoint.

A VPC endpoint is a private connection between a VPC and AWS service, allowing instances in the VPC to communicate with the service without going over the internet or traversing a NAT gateway or VPN connection.

Option A, creating a CloudWatch Log Group and associating it with one VPC private subnet, would not meet the security requirements as the logs would still need to be sent over the internet or through a NAT gateway to reach CloudWatch Logs, making them exposed to potential security risks.

Option C, adding a route in the NAT gateway route table to serve traffic from private subnets to the CloudWatch Logs service, would also not meet the security requirements. NAT gateway is used to allow instances in private subnets to access the internet, and adding a route to the NAT gateway would still require the traffic to traverse the internet, which is not allowed by the security policies.

Option D, establishing an AWS private link connection between VPC private subnets and CloudWatch Logs service and attaching a security group to CloudWatch Logs to allow inbound traffic from the EC2 security groups, is also incorrect because establishing a private link connection would still require a NAT gateway or VPN connection to access the internet.

Therefore, the best option is B, creating a VPC Endpoint for CloudWatch Logs (com.amazonaws.Region.logs). The EC2 logs are sent to CloudWatch Logs through a private connection. This will allow the EC2 instances in the private subnets to send their logs directly to CloudWatch Logs without going over the internet or through a NAT gateway, meeting the security requirements.

Prev Question Next Question