DOP-C02 Exam Dumps : AWS Certified DevOps Engineer - Professional

When using the awslogs log driver with Amazon ECS on EC2, CloudWatch Logs permissions must be granted to the ECS container instance IAM role, not the task definition or infrastructure role. The ECS agent running on the EC2 instances is responsible for creating log streams and pushing log events to Amazon CloudWatch Logs on behalf of the containers.

In this scenario, the task definition is correctly configured to automatically create the log group (awslogs-create-group: true) and send logs to the specified Region. However, the error occurs because the EC2 container instances do not have sufficient IAM permissions to perform the required CloudWatch Logs API calls. As a result, ECS cannot place the task, and it reports that no container instance meets the requirements.

According to AWS documentation, the container instance IAM role must include the following permissions when using the awslogs driver:

logs:CreateLogStream

logs:PutLogEvents

(and, when creating log groups automatically) logs:CreateLogGroup

Option C correctly addresses the root cause by updating the container instance IAM role. Option A is incorrect because the ECS infrastructure or service role is not used to write logs. Option B is unrelated to permissions and does not resolve the issue. Option D would fail because the log group does not already exist, causing task startup to fail.

Therefore, modifying the container instance IAM role is the correct solution.

S3 cross-Region replication (CRR) automatically replicates data between buckets across different AWS Regions. To enable CRR, you need to add a replication configuration to your source bucket that specifies the destination bucket, the IAM role, and the encryption type (optional). You also need to grant permissions to the IAM role to perform replication actions on both the source and destination buckets. Additionally, you can choose the destination storage class and enable additional replication options such as S3 Replication Time Control (S3 RTC) or S3 Batch Replication.

Comprehensive & Detailed Explanation (150–250 words):

AWS Control Tower provides Account Factory and Account Factory Customizations (AFC) as the lowest-overhead and most scalable method for creating and configuring new accounts. AFC allows you to define blueprints that include mandatory baseline resources such as IAM roles, logging configurations, guardrails, network settings, and tagging standards. When accounts are created through Account Factory using a customization blueprint, all controls and baseline configurations are applied automatically during provisioning, without any additional automation steps or StackSet deployments.

Option B requires running StackSets after the account is created, which adds manual management overhead and defeats the built-in automation advantages of Control Tower. Options C and D rely on manually provisioning accounts via AWS Organizations, which bypasses Control Tower’s governance and would require custom Lambda or StackSet automation to replicate controls that Control Tower already provides automatically.

Because the question explicitly asks for the least operational overhead, the correct answer is to use the Control Tower AFC blueprint, ensuring every account is born compliant with the required guardrails and baseline configuration.