Answer-first summary for fast verification
Answer: Share the dashboard from the CloudWatch console. Enter the product manager’s email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
## Explanation **Correct Answer: A** **Why Option A is correct:** 1. **CloudWatch Dashboard Sharing**: Amazon CloudWatch provides a built-in feature to share dashboards with users who don't have AWS accounts. 2. **Principle of Least Privilege**: The product manager only gets access to the specific dashboard, not the entire CloudWatch console or other AWS services. 3. **No AWS Account Required**: The product manager can access the dashboard via a shareable link without needing to create an AWS account. 4. **Email-based sharing**: The dashboard can be shared by entering the product manager's email address, and they receive a secure link to access the dashboard. **Why other options are incorrect:** **Option B**: - Creates an IAM user which violates the requirement that the product manager doesn't have an AWS account - Provides more permissions than needed (CloudWatchReadOnlyAccess gives access to ALL CloudWatch resources, not just the specific dashboard) - Requires the product manager to log into AWS console **Option C**: - Creates an IAM user which violates the requirement that the product manager doesn't have an AWS account - ViewOnlyAccess policy provides broader permissions than needed (access to view ALL AWS resources) - Requires the product manager to navigate and find the dashboard **Option D**: - Overly complex solution - Security risk (bastion server in public subnet with RDP access) - Requires managing server lifecycle (starting/stopping) - Not following the principle of least privilege (cached AWS credentials could have more permissions than needed) **Key AWS Concepts:** - CloudWatch dashboards can be shared with users outside AWS via email invitations - Shared dashboards provide read-only access to the specific dashboard only - This is the most secure and simplest solution for granting external users access to specific CloudWatch dashboards - The principle of least privilege is maintained by only granting access to the specific dashboard, not broader CloudWatch or AWS permissions
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company's product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?
A
Share the dashboard from the CloudWatch console. Enter the product manager’s email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
B
Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
C
Create an IAM user for the company’s employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
D
Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.