You have deployed an important application in a custom VPC. In order to capture information about the IP traffic going to and from network interfaces in the VPC, you need to enable VPC Flow Logs and publish the records to a CloudWatch Log Group. An IAM role is required to be associated with the Flow Logs. Which option describes the correct IAM policy attached in the IAM role?

Answer options:

A.{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
} 
B.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
C.{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:CreateLogGroup",
"cloudwatch:CreateLogStream",
"cloudwatch:PutLogEvents"
],
"Effect": "Allow",
"Resource": "flow_log_arn"
}
]
}
D.{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
"Effect": "Allow",
"Resource": "*",
"Principal": "vpc-flow-logs.amazonaws.com",
}
]
}

Correct Answer – A
When the VPC Flow Logs is being created, an IAM role is required that has permissions to publish logs to the CloudWatch Log Groups:
Details can be found in https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html.
Option A is CORRECT: Because this IAM policy has the necessary permissions to publish logs to CloudWatch Log Groups.
Option B is incorrect: This option describes the correct trust relationship of the IAM role. However, the question asks for the IAM policies.
Option C is incorrect: The IAM policy of CloudWatch Logs should be “logs:*” instead of “cloudwatch:*”. The "Resource" field is also incorrect.
Option D is incorrect: Because for IAM policies, the "Principal" field is not required since the principal is the IAM entity that assumes the role.