A company's security auditor needs a complete record of every API call made in the AWS account — who made it, from which IP, and what was changed — for the last 90 days. Which service provides this audit trail?
- AAmazon CloudWatch Metrics — tracks numeric performance data (CPU, network), not API call history.
- BAWS CloudTrail — records every AWS API call including the caller identity, source IP, time, and parameters; delivers log files to S3.✓ Correct
- CVPC Flow Logs — captures IP traffic flow information at the network interface level, not API-level actions.
- DAWS Config — tracks resource configuration state and changes, but CloudTrail captures the actual API calls that caused those changes.
CloudTrail is enabled by default and retains 90 days of management event history in the console. For longer retention, create a Trail that delivers logs to S3. CloudTrail logs include: who (IAM user/role), what (API action), when (timestamp), where (source IP), and the request/response elements. Essential for security auditing and compliance.
A team wants to receive an email notification when their EC2 instance's CPU utilisation exceeds 80% for 5 consecutive minutes. Which combination of services achieves this?
- ACloudTrail event → EventBridge rule → Lambda function → email.
- BCloudWatch Alarm (CPU > 80% for 5 mins) → SNS Topic → Email subscription.✓ Correct
- CCloudWatch Logs Insight query → S3 export → SES email trigger.
- DAWS Config rule (CPU threshold) → SNS notification → email.
CloudWatch collects EC2 CPU metrics every 1 or 5 minutes. A CloudWatch Alarm monitors a metric against a threshold over a defined evaluation period. When the alarm enters ALARM state, it sends a notification to an SNS topic. SNS delivers the message to all subscribed endpoints including email addresses. This is the standard monitoring + alerting pattern.
What is the DEFAULT retention period for CloudWatch Logs log groups?
- A7 days.
- B30 days.
- C90 days.
- DNever expires — logs are retained indefinitely until you explicitly configure a retention policy or delete them.✓ Correct
By default, CloudWatch Logs log groups have no expiration — data is stored indefinitely. You can configure a retention policy from 1 day to 10 years (3,653 days) on each log group. Logs stored indefinitely can accumulate costs. AWS best practice is to set appropriate retention periods and archive older logs to S3 for cost savings.
A developer needs to track a custom application metric — the number of active WebSocket connections — in CloudWatch dashboards and alarms. How should they publish this custom metric?
- AEnable CloudWatch Detailed Monitoring on the EC2 instance — this only adds higher-frequency native EC2 metrics.
- BUse the CloudWatch PutMetricData API (or AWS CLI/SDK) from the application to publish custom metric data points.✓ Correct
- CCloudWatch automatically discovers and tracks all application-level metrics without any code changes.
- DWrite the metric value to a CloudWatch Logs log group — CloudWatch will auto-extract it as a metric.
Custom metrics are published via the PutMetricData API call. You specify a namespace, metric name, value, unit, and optional dimensions. Custom metrics can be visualised in CloudWatch dashboards and used in alarms. CloudWatch Metric Filters can also extract metric values from log data, but PutMetricData is the direct and more common approach.
A company wants to capture all network traffic flow information (source IP, destination IP, ports, protocol, bytes) for their VPC for security analysis. Which feature captures this data?
- AAWS CloudTrail — captures API calls, not network packet flow data.
- BAWS WAF logs — logs web request details for ALB/CloudFront, not all VPC traffic.
- CVPC Flow Logs — captures metadata about IP traffic flowing to and from network interfaces in a VPC.✓ Correct
- DAmazon Inspector — scans for vulnerabilities, does not capture network flow data.
VPC Flow Logs can be enabled at the VPC, subnet, or ENI level. They capture metadata (not payload): source/destination IP, ports, protocol, packet/byte count, action (ACCEPT/REJECT), and more. Logs are published to CloudWatch Logs or S3. Flow logs are useful for security analysis, troubleshooting connectivity, and detecting anomalous traffic patterns.