Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 27 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 27
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company's product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?

  • A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
  • B. Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
  • C. Create an IAM user for the company's employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
  • D. Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by sba21 at Oct. 12, 2022, 6:42 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 1 year, 7 months ago
Selected Answer: A
Answere A : https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html Share a single dashboard and designate specific email addresses of the people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard.
upvoted 80 times
123jhl0
1 year, 7 months ago
Thanks for the link! No doubt A is the answer.
upvoted 6 times
omoakin
12 months ago
nope! The principle of least privilege will contradict that B is the correct answer even Chat GPT says its B
upvoted 8 times
Azure55
6 months, 2 weeks ago
chatgpt chooses A
upvoted 2 times
...
jaswantn
3 months, 1 week ago
I opt for option (B); with CloudWatchReadOnlyAccess policy it is made sure that no other permission is granted, thus making it principle of least priviledge. But with Option (A) , more permissions are granted by default and that too in sharable mode.
upvoted 1 times
ManikRoy
1 month, 3 weeks ago
When you share a dashboard, CloudWatch creates an IAM role in the account which gives the following permissions to the people who you share the dashboard with: cloudwatch:GetInsightRuleReport, cloudwatch:GetMetricData, cloudwatch:DescribeAlarms, ec2:DescribeTags
upvoted 1 times
...
Load full discussion...
...
...
...
mn2013
3 months, 3 weeks ago
But this link also says All people who you share the dashboard with are granted these permissions for the account. If you share the dashboard publicly, then everyone who has the link to the dashboard has these permissions. The cloudwatch:GetMetricData and ec2:DescribeTags permissions cannot be scoped down to specific metrics or EC2 instances, so the people with access to the dashboard can query all CloudWatch metrics and the names and tags of all EC2 instances in the account. If that is the case, how is the least privilege principle applicable?
upvoted 2 times
...
...
Guru4Cloud
Highly Voted 10 months ago
Selected Answer: B
Option B provides the product manager with specific access to the CloudWatch dashboard using an IAM user with the CloudWatchReadOnlyAccess policy attached. The IAM user has only read-only access to the required resources, which follows the principle of least privilege.
upvoted 14 times
emilyhu08
7 months, 1 week ago
b has a problem for cloudwatchreadonlyacess policy, it’s not only grant read access to dashboard, but other read permission for logs, insights, etc. so it does not follows the principle of least privilege. Option A only grants access to dashboard.
upvoted 11 times
...
...
HectorCosta
Most Recent 2 weeks ago
Selected Answer: A
Please note that B does not meet the principle of least privilege, simply because granting CloudWatchReadOnlyAccess would allow this user to read ANY Dashboard or metrics, not only this specific one.
upvoted 1 times
...
lofzee
3 weeks, 4 days ago
For anyone thinking it's B. Go and look at the permissions that cloud watch read only access gives you, there is about 20 different ones including from other services e.g. SNS. Sharing the dashboard gives you 4 permissions by default, hence A is the correct answer and actually the recommended method of sharing dashboards. Of course you can then continue to edit the policy after you have shared the dashboard to limit permissions even further, but yes, A is the correct.
upvoted 1 times
...
KRC96
4 weeks ago
In my opinion answer should B because, Product manager need to access this dashboard "Periodically." so its good that create IAM user and grant specific read only access.("Least privileged access which is another requirement)
upvoted 1 times
...
firsttimetesttaker
1 month ago
Selected Answer: B
A is definitely NOT the answer. A. Sharing the dashboard from the CloudWatch console and providing a shareable link to the product manager may not align with the principle of least privilege. This method could potentially expose other dashboards or resources in the CloudWatch console that the product manager does not need access to.
upvoted 1 times
xxichlas
3 weeks, 1 day ago
option B (https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchReadOnlyAccess.html) gives way more privilege (including the one where the dashboard is shared (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html#share-cloudwatch-dashboard-iamrole))
upvoted 1 times
...
...
ManikRoy
1 month, 3 weeks ago
Selected Answer: A
A is the correct answer considering the manager do not have any AWS account, so you can not create a IAM user.
upvoted 2 times
...
LIORAGE
1 month, 4 weeks ago
Answere B: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html When you share a dashboard, CloudWatch creates an IAM role in the account which gives the following permissions to the people who you share the dashboard with: cloudwatch:GetInsightRuleReport cloudwatch:GetMetricData cloudwatch:DescribeAlarms ec2:DescribeTags A not provide principe of least privilege.
upvoted 1 times
...
Abhiiinav
4 months ago
Selected Answer: B
Option A suggests Sharing of dashboards with temporary credentials while the product manager needs to view it periodically. If your password expires, you need an extra overhead of resetting the password. Thus option B i correct.
upvoted 2 times
...
awsgeek75
4 months ago
Selected Answer: A
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html "Share a single dashboard and designate specific email addresses of the people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard."
upvoted 2 times
...
A_jaa
4 months ago
Selected Answer: A
Answer-A
upvoted 1 times
...
ROBERTXLION
4 months, 3 weeks ago
Selected Answer: B
https://muhammadhassansaee.medium.com/aws-certified-solutions-architect-associate-exam-dumps-with-complete-explanation-part3-5d649a3e850e
upvoted 1 times
SVDK
4 months, 2 weeks ago
His explanation is incorrect. The temporary password must be changed by the product manager and then does not expire. It's only the temp password that expires. Hence A is correct.
upvoted 1 times
...
...
tipopeso
4 months, 3 weeks ago
Selected Answer: A
This option allows the product manager to access the CloudWatch dashboard without needing an AWS account. The dashboard can be shared with the product manager via a link, which is generated by AWS and can be accessed securely. This method adheres to the principle of least privilege by granting access only to the specific dashboard required.
upvoted 3 times
...
smdrouiss
5 months, 2 weeks ago
Selected Answer: A
I have tested it on my console, and it worked as well as I looked up into docs
upvoted 4 times
...
kt7
6 months, 1 week ago
A is correct
upvoted 1 times
...
Ruffyit
6 months, 3 weeks ago
Answere A : https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html
upvoted 1 times
...
danielpark99
7 months, 1 week ago
Selected Answer: A
Clouwatch dashboards with people who do not have direct access to your aws account
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel