AWS Certified SysOps Administrator Practice Exam

What should be done if VPC flow logs are not operational due to access errors?

• A. Modify the IAM Role associated with the existing flow log
• B. Delete the existing flow log and create a new one with the correct IAM role configuration
• C. Restart the VPC to reset the flow logs
• D. Enable CloudTrail to monitor access issues for the flow logs

The correct answer is: Delete the existing flow log and create a new one with the correct IAM role configuration

When VPC flow logs are not operational due to access errors, the most effective solution is to delete the existing flow log and create a new one with the correct IAM role configuration. This approach ensures that you start with a fresh configuration that properly aligns with the required permissions for access and log delivery. VPC flow logs rely on an IAM role to write log data to the specified destination, such as an Amazon S3 bucket or Amazon CloudWatch Logs. If there are access errors, it typically indicates that the existing IAM role does not have the necessary permissions or is incorrectly configured. By deleting the flow log and recreating it with the appropriate IAM role – one that contains the required policies for log writing – you can rectify the issues without the complications that might arise from modifying an existing configuration. The alternative of modifying the IAM role might not resolve the issue if other configurations are also incorrect. Creating a fresh flow log ensures that all settings are correct from the outset. Additionally, simply restarting the VPC does not address the underlying permission-related errors that are causing the flow logs to malfunction; it is unlikely to reset the configuration issues related to IAM roles. Enabling CloudTrail can help you monitor access issues but does not directly resolve the problem with flow logs themselves.