Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 27 discussion

Answere A : https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html Share a single dashboard and designate specific email addresses of the people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard.

Option B provides the product manager with specific access to the CloudWatch dashboard using an IAM user with the CloudWatchReadOnlyAccess policy attached. The IAM user has only read-only access to the required resources, which follows the principle of least privilege.

Answer is A. This option is available in Cloudwatch

CloudWatch does not allow public links by default, but you can share temporary access using AWS IAM Identity Center (formerly AWS SSO) or a federated user with specific permissions.

Option - B: Here’s why: Principle of Least Privilege: The product manager should only be given the permissions necessary to access the CloudWatch dashboard. The CloudWatchReadOnlyAccess policy grants the least privilege access to view CloudWatch metrics and dashboards. IAM User: Since the product manager does not have an AWS account, creating a specific IAM user for the product manager ensures they can log in securely to AWS, without needing to share broader permissions. Simple Access: After the IAM user is created, the product manager can directly log into AWS, navigate to the CloudWatch dashboard, and access the metrics they need, without excessive complexity or unnecessary access.

Since the Product manager access the account periodically , sharing the account will be the best option https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html

CloudWatch allows dashboards to be shared publicly or with specific users using a shareable URL. This enables access without requiring an AWS account. This approach follows the principle of least privilege because the product manager is given only the ability to view the dashboard via the shared link, without needing broader access to the AWS environment. This is the correct choice because it directly meets the requirements without granting unnecessary permissions or requiring the creation of AWS credentials.

1.Direct Sharing Without AWS Account: Amazon CloudWatch allows dashboards to be shared externally via a shareable link. This enables users without an AWS account to access the dashboard securely, which meets the requirement to allow the product manager (who doesn’t have an AWS account) to view the dashboard. 2.Least Privilege Principle: The product manager only gets access to the specific dashboard, and no additional permissions or access to the AWS environment are granted. This aligns with the principle of least privilege. 3.No Operational Overhead: The solution does not require creating new IAM users or setting up infrastructure like bastion servers. It’s straightforward and efficient.

I will go with B even though A sounds like a better choice for the following reasons: 1, You need a solution to share your dashboard. 2, You only share a specific metric of an application to whom lack access to AWS. 3, Target in question only access periodically. 4, Must apply least privilege. Though A & B are good choices to share you dashboard, A doesn't follow least privilege principal because it provides more permission than needed. Not to mention this solution also raises concerns about security since this dashboard is public.

respuesta es A: Esta solución permite cumplir con los requisitos de acceso seguro y controlado sin una cuenta completa de AWS y sigue el principio de mínimo privilegio para acceder solo a los paneles necesarios en Amazon CloudWatch.

The correct answer is: A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager. Explanation: Principle of Least Privilege: The solution should only provide the minimum necessary access. Sharing a CloudWatch dashboard directly meets this principle without the need for an AWS account. Shareable Link: CloudWatch allows you to share a dashboard using a shareable URL that can be accessed without requiring AWS credentials. This way, the product manager can view the dashboard without having an AWS account. No IAM User Required: Solutions involving IAM users (options B and C) require creating an AWS identity and sharing credentials, which introduces unnecessary security risks and management overhead. No Bastion Server: Deploying a bastion server (option D) is not practical, involves additional costs, and requires managing another infrastructure component, which goes against simplicity and security best practices.

The correct answer is: A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager. Explanation: Principle of Least Privilege: The solution should only provide the minimum necessary access. Sharing a CloudWatch dashboard directly meets this principle without the need for an AWS account. Shareable Link: CloudWatch allows you to share a dashboard using a shareable URL that can be accessed without requiring AWS credentials. This way, the product manager can view the dashboard without having an AWS account. No IAM User Required: Solutions involving IAM users (options B and C) require creating an AWS identity and sharing credentials, which introduces unnecessary security risks and management overhead. No Bastion Server: Deploying a bastion server (option D) is not practical, involves additional costs, and requires managing another infrastructure component, which goes against simplicity and security best practices.

correct answer B the reason A is not a good answer is: when sharing a link to the CloudWatch dashboard the following warning appears We recommend that you do not share dashboards if your account contains any sensitive information which you would not wish to share with the users with whom you are sharing the dashboard. The users that you specified above will be granted the following permissions: CloudWatch read-only permissions to alarms and contributor insights rules in the Dashboard which you share, and to all metrics and the names and tags of all EC2 instances in your account even if they are not shown in the Dashboard which you share. We recommend that you consider whether it is appropriate to make this information available to the users with whom you are sharing. so following the least privilege principle, creating an IAM User in option B is more secure

The goal is to allow a product manager (who does not have an AWS account) to access a CloudWatch dashboard periodically. B follows the principle of least privilege, ensuring that the product manager can only view the dashboard and not perform any other actions within AWS.Is direct email sharing is not a feature of CloudWatch?

Least privilege

A would be indeed following the principle of least privilege, but periodic access means we have to do this time and time again when the product manager requests access. B is better

Ans B – its tidy and self-contained, and uses IAM roles as the solution should Others: o Ans A – means personalising access by relying upon the Product Manager’s email – what if he changes his name or a new Product Manager is hired? o Ans C – too lengthy and introduces potential for mistakes o Ans D – not even sure why this is here…