Topic 1 Question 27
A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company's product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege. Which solution will meet these requirements?
Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
Create an IAM user for the company's employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: A
Answere A : https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html
Share a single dashboard and designate specific email addresses of the people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard.
👍 48masetromain2022/10/11 - 正解だと思う選択肢: A
The answer is A, because the question says to follow the principle of least privileges.
When sharing a dashboard by providing an e-mail address, AWS creates an IAM role behind the scenes with only 4 permissions:
- cloudwatch:GetInsightRuleReport
- cloudwatch:GetMetricData
- cloudwatch:DescribeAlarms
- ec2:DescribeTags
The person you share the dashboard with has to enter a username + password every time they want to see the dashboard (even without having an IAM user!) and they will then get the permissions assigned to the previously created IAM role (happening behind the scenes).
Option B suggests creating an IAM user with the CloudWatchReadOnlyAccess policy, which provides far more access than the 4 permissions listed above.
👍 4BlueVolcano12023/01/17 b. This solution follows the principle of least privilege by creating a dedicated IAM user for the product manager with only the necessary permissions to access the CloudWatch dashboard. The CloudWatchReadOnlyAccess AWS managed policy grants read-only access to CloudWatch resources, which is sufficient for the product manager to view the metrics. The product manager can access the dashboard using the new login credentials and the browser URL provided. This solution also avoids sharing the dashboard with the product manager, which may not be desirable from a security perspective. Option A is not recommended because it involves sharing the dashboard, which may not be secure. Option C grants access to all company employees, which is more permissive than necessary. Option D involves deploying a bastion server, which is not necessary for this use case and adds complexity to the solution.
👍 4Akash199910062023/04/22
シャッフルモード