Your company has an EC2 Instance that is hosted in an AWS VPC. There is a requirement to ensure that log files from the EC2 Instance are stored in a secure manner. The access should be limited to the log files. How can this be accomplished? Choose 2 answers from the options given below. Each answer forms part of the solution.

Answer options:

A.Stream the log files to a separate CloudTrail trail.
B.Stream the log files to a separate Cloudwatch Log group.
C.Create an IAM policy that gives the desired level of access to the CloudTrail trail.
D.Create an IAM policy that gives the desired level of access to the Cloudwatch Log group.

Answer: B and D
Option A is incorrect because CloudTrail is used to record API activities and not for storing log files for EC2 instances.
Option B is CORRECT because you can create a separate log group and send all logs from the EC2 Instance to that group.
Option C is incorrect because CloudTrail is not used for storing EC2 instance log files; hence it would not work.
Option D is CORRECT because you need to create and restrict access to CloudWatch log groups using IAM policies.
For more information on Cloudwatch Log Groups, kindly refer to the following URL:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html