Secure Storage of EC2 Instance Log Files in AWS VPC

Secure Storage of EC2 Instance Log Files

Q: Your company has an EC2 Instance that is hosted in an AWS VPC.There is a requirement to ensure that log files from the EC2 Instance are stored in a secure manner.The access should be limited to the log files.How can this be accomplished? Choose 2 answers from the options given below.Each answer forms part of the solution.

Stream the log files to a separate Cloudwatch Log group.Create an IAM policy that gives the desired level of access to the Cloudwatch Log group.

Prev Question Next Question

Question

Your company has an EC2 Instance that is hosted in an AWS VPC.

There is a requirement to ensure that log files from the EC2 Instance are stored in a secure manner.

The access should be limited to the log files.

How can this be accomplished? Choose 2 answers from the options given below.

Each answer forms part of the solution.

Answers

A. Stream the log files to a separate CloudTrail trail.

B. Stream the log files to a separate Cloudwatch Log group.

C. Create an IAM policy that gives the desired level of access to the CloudTrail trail.

D. Create an IAM policy that gives the desired level of access to the Cloudwatch Log group.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B and D.

Option A is incorrect because CloudTrail is used to record API activities and not for storing log files for EC2 instances.

Option B is CORRECT because you can create a separate log group and send all logs from the EC2 Instance to that group.

Option C is incorrect because CloudTrail is not used for storing EC2 instance log files; hence it would not work.

Option D is CORRECT because you need to create and restrict access to CloudWatch log groups using IAM policies.

For more information on Cloudwatch Log Groups, kindly refer to the following URL:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html

To ensure that log files from an EC2 instance are stored in a secure manner, and access is limited to the log files, we can use the following two solutions:

Stream the log files to a separate CloudWatch Log group:
- CloudWatch Logs is a managed service offered by AWS that allows you to monitor, store, and access log files from various AWS resources, including EC2 instances.
- By creating a separate CloudWatch Log group, we can ensure that logs from the EC2 instance are stored in a separate location that is secure and separate from other logs.
- We can also use CloudWatch Logs to set up access control policies that limit who can access the log files stored in the Log group. This can be done using IAM policies.
- To implement this solution, we would need to install and configure the CloudWatch Logs agent on the EC2 instance. This agent would stream the log files to the specified CloudWatch Log group.
Create an IAM policy that gives the desired level of access to the CloudWatch Log group:
- As mentioned earlier, we can use IAM policies to control access to the log files stored in the CloudWatch Log group.
- We would need to create an IAM policy that grants the desired level of access to the log files, and then attach this policy to the appropriate IAM users or roles.
- For example, we could create a policy that only allows read-only access to the log files, and then attach this policy to a role that is assigned to the team responsible for monitoring the logs.

In conclusion, the two solutions that can be used to ensure that log files from an EC2 instance are stored securely and access is limited to the log files are:

Stream the log files to a separate CloudWatch Log group.
Create an IAM policy that gives the desired level of access to the CloudWatch Log group.

Prev Question Next Question