Enabling VPC Flow Logs and IAM Policy for AWS Certified Security - Specialty Exam | AWS Provider

Enabling VPC Flow Logs and IAM Policy

Question

You have deployed an important application in a custom VPC.

In order to capture information about the IP traffic going to and from network interfaces in the VPC, you need to enable VPC Flow Logs and publish the records to a CloudWatch Log Group.

An IAM role is required to be associated with the Flow Logs.

Which option describes the correct IAM policy attached in the IAM role?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A.

When the VPC Flow Logs is being created, an IAM role is required that has permissions to publish logs to the CloudWatch Log Groups:

Details can be found in https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html.

Option A is CORRECT: Because this IAM policy has the necessary permissions to publish logs to CloudWatch Log Groups.

Option B is incorrect: This option describes the correct trust relationship of the IAM role.

However, the question asks for the IAM policies.

Option C is incorrect: The IAM policy of CloudWatch Logs should be “logs:*” instead of “cloudwatch:*”

The "Resource" field is also incorrect.

Option D is incorrect: Because for IAM policies, the "Principal" field is not required since the principal is the IAM entity that assumes the role.

Create flow log

Flow logs can capture IP traffic flow information for the network interfaces associated with your resources. You can create multiple subscriptions to send traffic to different destinations. Learn more

Resources vp > @

Filter* | Accept y¥ Ce

Destination © Send to CloudWatch Logs
Send to an S3 bucket

The IAM role that has permission to publish to
the Amazon CloudWatch Logs log group.

Destination log group* Enter log destination v

IAM role* No IAM role selected y¥ C ®@®

The IAM role must have permission to publish to the CloudWatch Logs log group. Set Up Permissions

The correct IAM policy that needs to be attached to the IAM role for enabling VPC Flow Logs and publishing the records to a CloudWatch Log Group is:

Option A: { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "*" } ] }

Explanation:

VPC Flow Logs allow you to capture information about the IP traffic going to and from network interfaces in your VPC. You can use this information for security analysis, troubleshooting network connectivity issues, and optimizing network performance.

To enable VPC Flow Logs, you need to create a Flow Log and specify the IAM role that CloudWatch Logs should assume to publish the log data to a CloudWatch Log Group. The IAM role should have permissions to create and write to the CloudWatch Log Group.

The correct IAM policy in this scenario is option A, which grants permissions for the following actions:

  • logs:CreateLogGroup: Allows the IAM role to create a new CloudWatch Log Group.
  • logs:CreateLogStream: Allows the IAM role to create a new CloudWatch Log Stream for the VPC Flow Logs.
  • logs:PutLogEvents: Allows the IAM role to publish log events to the CloudWatch Log Group.
  • logs:DescribeLogGroups: Allows the IAM role to describe the existing CloudWatch Log Groups.
  • logs:DescribeLogStreams: Allows the IAM role to describe the existing CloudWatch Log Streams.

The Effect of the policy is set to "Allow", which means that the IAM role is allowed to perform the specified actions. The Resource is set to "*", which means that the IAM role has permission to perform the specified actions on all CloudWatch Log Groups and Streams.

Option B is incorrect because it only specifies the permissions for assuming the IAM role by the VPC Flow Logs service. It does not grant permissions for creating and writing to the CloudWatch Log Group.

Option C is incorrect because it specifies the Resource as "flow_log_arn", which is not a valid ARN for a CloudWatch Log Group. It should be the ARN of the CloudWatch Log Group instead.

Option D is incorrect because it specifies the Principal as "vpc-flow-logs.amazonaws.com", which is not a valid value for the Principal element. It should be an AWS service, IAM user, or IAM role that is allowed or denied access to the resource.