AWS-DOP-C02 & AWS CERTIFICATION | Sample Questions - Domain 4: Monitoring & Logging - AWS Certified DevOps Engineer

4.3.4. Sample Questions - Domain 4: Monitoring & Logging

Question 1:

A DevOps team needs to collect custom metrics from their application running on Amazon EC2 instances, such as the number of active user sessions and specific business transaction counts. These metrics are not available by default in CloudWatch. Which is the most efficient way to collect and send these custom metrics to CloudWatch?

A) Use AWS CloudTrail to log application events and create metrics from them. B) Configure Amazon Kinesis Data Firehose to stream application logs to CloudWatch. C) Install and configure the CloudWatch Agent on the EC2 instances. D) Develop a Lambda function to periodically poll the application and push metrics.

Correct Answer: C

Explanation:

A) Use AWS CloudTrail to log application events and create metrics from them: CloudTrail logs API calls made to AWS services, not custom application metrics. While you can create metrics from CloudTrail logs, it's not designed for collecting arbitrary custom application metrics.
B) Configure Amazon Kinesis Data Firehose to stream application logs to CloudWatch: Kinesis Data Firehose is for streaming data, including logs, to various destinations. While logs can contain metric data, Firehose itself doesn't directly collect custom metrics from an application; it's a transport mechanism.
C) Install and configure the CloudWatch Agent on the EC2 instances: The CloudWatch Agent is specifically designed to collect system-level metrics (e.g., memory, disk, CPU, network) and logs from EC2 instances and on-premises servers. Crucially, it also supports collecting custom metrics from applications running on these instances. This is the most direct and efficient way to collect the required custom metrics, aligning with the First Principle of Centralized Observability and Data Collection.
D) Develop a Lambda function to periodically poll the application and push metrics: While technically possible, this approach introduces unnecessary complexity and operational overhead compared to using the purpose-built CloudWatch Agent. It would require managing the Lambda function, its permissions, and scheduling.

Question 2:

A company wants to analyze their application logs in real-time to identify errors and performance bottlenecks. The logs are currently being streamed to CloudWatch Logs. They need a solution that allows them to perform ad-hoc queries and visualize log data without exporting it to another service. Which CloudWatch Logs feature should they use?

A) CloudWatch Alarms B) CloudWatch Dashboards C) CloudWatch Logs Insights D) CloudWatch Metric Filters

Correct Answer: C

Explanation:

A) CloudWatch Alarms: CloudWatch Alarms are used to trigger actions based on metric thresholds. They are for alerting, not for querying or visualizing log data.
B) CloudWatch Dashboards: CloudWatch Dashboards allow you to create customizable views of your CloudWatch metrics and alarms. While they can display metrics derived from logs, they don't provide a direct interface for ad-hoc querying of raw log data.
C) CloudWatch Logs Insights: CloudWatch Logs Insights is a fully integrated, interactive query service that enables you to search and analyze your log data in CloudWatch Logs. It allows you to perform powerful ad-hoc queries, discover fields, and visualize log data directly within the CloudWatch console, aligning with the First Principle of Actionable Insights from log data.
D) CloudWatch Metric Filters: Metric Filters are used to extract metric data from log events and publish them as CloudWatch metrics. They are for creating metrics, not for interactive querying of the raw log data itself.

Question 3:

A security team needs to monitor all API calls made to their AWS accounts for suspicious activity and unauthorized access attempts. They require a service that provides a historical record of these calls, including who made the call, from where, and when. Which AWS service is designed for this purpose?

A) Amazon CloudWatch B) AWS CloudTrail C) AWS Config D) Amazon GuardDuty

Correct Answer: B

Explanation:

A) Amazon CloudWatch: CloudWatch primarily focuses on operational monitoring (metrics, logs, alarms) for resource performance and application health. While it can ingest CloudTrail logs, its core purpose is not API call auditing.
B) AWS CloudTrail: AWS CloudTrail provides a record of actions taken by a user, role, or an AWS service in AWS. It records API calls for your account, including who made the call, from which IP address, when, and what resources were affected. This is fundamental for security auditing, compliance, and operational troubleshooting, aligning with the First Principle of Accountability and Auditability in the cloud.
C) AWS Config: AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. It's for configuration compliance, not for logging API calls.
D) Amazon GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It analyzes various data sources, including CloudTrail event logs, but it is a detection service, not the primary service for recording all API calls.

Question 4:

A DevOps team is implementing a new microservices application and needs to gain end-to-end visibility into requests as they flow through various services, including AWS Lambda, Amazon API Gateway, and custom services running on EC2. They want to identify performance bottlenecks and errors across the distributed architecture. Which AWS service is best suited for distributed tracing and performance analysis in this scenario?

A) Amazon CloudWatch B) AWS CloudTrail C) AWS X-Ray D) Amazon Inspector

Correct Answer: C

Explanation:

A) Amazon CloudWatch: CloudWatch provides metrics and logs for individual services. While it can give insights into component health, it lacks the ability to trace a single request across multiple distributed services.
B) AWS CloudTrail: CloudTrail records API calls for auditing and governance. It does not provide performance insights or end-to-end tracing of requests through an application.
C) AWS X-Ray: AWS X-Ray is a service that helps developers analyze and debug distributed applications. It provides an end-to-end view of requests as they travel through your application, showing a map of the application's components, segmenting requests, and identifying performance bottlenecks and errors. This directly addresses the need for distributed tracing in a microservices architecture, aligning with the First Principle of Holistic Observability and Performance Diagnostics.
D) Amazon Inspector: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It's for security vulnerabilities, not for application performance tracing.

Question 5:

A company needs to ensure that their application logs are securely stored and retained for a specific period to meet compliance requirements. They are using CloudWatch Logs. Which CloudWatch Logs feature should they configure to manage the retention of their log data?

A) CloudWatch Logs Insights B) CloudWatch Logs Subscriptions C) CloudWatch Log Group Retention Policy D) CloudWatch Metric Filters

Correct Answer: C

Explanation:

A) CloudWatch Logs Insights: Logs Insights is for querying and analyzing log data, not for managing retention.
B) CloudWatch Logs Subscriptions: Log Subscriptions allow you to stream log data to other services for real-time processing. They are for data export, not for retention management within CloudWatch Logs.
C) CloudWatch Log Group Retention Policy: CloudWatch Logs allows you to set a retention policy for each log group. This policy defines how long log events are kept in CloudWatch Logs. You can choose to retain logs indefinitely or for a specific number of days, which directly addresses the requirement for secure storage and retention to meet compliance, aligning with the First Principle of Data Governance and Compliance by Design.
D) CloudWatch Metric Filters: Metric Filters are used to extract metric data from log events and publish them as CloudWatch metrics. They are for creating metrics, not for managing log retention.