Exam AWS Certified Solutions Architect - Professional topic 1 question 393 discussion

answer is A https://aws.amazon.com/fr/about-aws/whats-new/2017/12/amazon-cloudwatch-now-supports-service-linked-roles-for-ec2-actions-in-alarms/

A is correct (checked directly in the AWS console) EC2 action - Terminate You will not be able to terminate this instance if termination protection is enabled. AWS will use the existing Service Linked Role (AWSServiceRoleForCloudWatchEvents) to perform this action. Show IAM policy document Linked role can do following with EC2 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:CreateSnapshot" ], "Resource": "*" } ] }

Answer is A. The service role for CWevents is assumed and the action (terminate) is executed.

A is the right answer

answer is C "To set up a CloudWatch alarm action that can reboot, stop, or terminate an instance, you must use a service-linked IAM role, AWSServiceRoleForCloudWatchEvents. The AWSServiceRoleForCloudWatchEvents IAM role enables AWS to perform alarm actions on your behalf." https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html

i will go A

Question has too much ambiguity. From => https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html "Permissions : If you are using an AWS Identity and Access Management (IAM) account to create or modify an alarm that performs EC2 actions or Systems Manager OpsItem actions, you must have the iam:CreateServiceLinkedRole permission." So we do not know if John has the following policy. If not then this cannot work and C would be the correct answer.

A. CloudWatch will stop the instance when the action is executed

I'd go with C as the user doesn't have permissions on ec2

A. 1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html#AddingStopActions. 2. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.html Creating a service-linked role for CloudWatch You do not need to manually create any of these service-linked roles. The first time you create an alarm in the AWS Management Console, the IAM CLI, or the IAM API, CloudWatch creates AWSServiceRoleForCloudWatchEvents and AWSServiceRoleForCloudWatchAlarms_ActionSSM for you. The first time When you first enable an account to be a monitoring account for cross-account cross-Region functionality, CloudWatch creates AWSServiceRoleForCloudWatchCrossAccount for you.

A - user has already created an alarm (user has iam:CreateServiceLinkedRole permission)

Right answer should be C. This is tested as-well in an account.

Just tested in my account. Launced EC2 instance. Created test user with CloudWatchFullAccess policy only. Logged in using test user credentials. User is able to create the alarm with action to stop the EC2 instance by CPUUtilizationMetric. During Alarm creation you can manually enter EC2 instance id. (where we take instance is - this is another question) In 5 minutes instance is stopped. sarah_t was right: the only thing is needed is to have permission to create a service-linked role (that is included in CloudWatchFullAccess) Please try yourself who has AWS accounts. You will be surprised

Answer is C Testing in my account, the alarm can created, but Insufficient data state due to no EC2 permission.

As per this link https://aws.amazon.com/premiumsupport/knowledge-center/automatic-recovery-ec2-cloudwatch/ one cannot setup alarm if one doesn't have permission on that EC2 instance

A - john only needs to have the permission to create a service-linked role.

answer is C Example : https://aws.amazon.com/premiumsupport/knowledge-center/automatic-recovery-ec2-cloudwatch/