Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 27 discussion

Answere A : https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html Share a single dashboard and designate specific email addresses of the people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard.

Option B provides the product manager with specific access to the CloudWatch dashboard using an IAM user with the CloudWatchReadOnlyAccess policy attached. The IAM user has only read-only access to the required resources, which follows the principle of least privilege.

I will go with B even though A sounds like a better choice for the following reasons: 1, You need a solution to share your dashboard. 2, You only share a specific metric of an application to whom lack access to AWS. 3, Target in question only access periodically. 4, Must apply least privilege. Though A & B are good choices to share you dashboard, A doesn't follow least privilege principal because it provides more permission than needed. Not to mention this solution also raises concerns about security since this dashboard is public.

respuesta es A: Esta solución permite cumplir con los requisitos de acceso seguro y controlado sin una cuenta completa de AWS y sigue el principio de mínimo privilegio para acceder solo a los paneles necesarios en Amazon CloudWatch.

The correct answer is: A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager. Explanation: Principle of Least Privilege: The solution should only provide the minimum necessary access. Sharing a CloudWatch dashboard directly meets this principle without the need for an AWS account. Shareable Link: CloudWatch allows you to share a dashboard using a shareable URL that can be accessed without requiring AWS credentials. This way, the product manager can view the dashboard without having an AWS account. No IAM User Required: Solutions involving IAM users (options B and C) require creating an AWS identity and sharing credentials, which introduces unnecessary security risks and management overhead. No Bastion Server: Deploying a bastion server (option D) is not practical, involves additional costs, and requires managing another infrastructure component, which goes against simplicity and security best practices.

The correct answer is: A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager. Explanation: Principle of Least Privilege: The solution should only provide the minimum necessary access. Sharing a CloudWatch dashboard directly meets this principle without the need for an AWS account. Shareable Link: CloudWatch allows you to share a dashboard using a shareable URL that can be accessed without requiring AWS credentials. This way, the product manager can view the dashboard without having an AWS account. No IAM User Required: Solutions involving IAM users (options B and C) require creating an AWS identity and sharing credentials, which introduces unnecessary security risks and management overhead. No Bastion Server: Deploying a bastion server (option D) is not practical, involves additional costs, and requires managing another infrastructure component, which goes against simplicity and security best practices.

correct answer B the reason A is not a good answer is: when sharing a link to the CloudWatch dashboard the following warning appears We recommend that you do not share dashboards if your account contains any sensitive information which you would not wish to share with the users with whom you are sharing the dashboard. The users that you specified above will be granted the following permissions: CloudWatch read-only permissions to alarms and contributor insights rules in the Dashboard which you share, and to all metrics and the names and tags of all EC2 instances in your account even if they are not shown in the Dashboard which you share. We recommend that you consider whether it is appropriate to make this information available to the users with whom you are sharing. so following the least privilege principle, creating an IAM User in option B is more secure

The goal is to allow a product manager (who does not have an AWS account) to access a CloudWatch dashboard periodically. B follows the principle of least privilege, ensuring that the product manager can only view the dashboard and not perform any other actions within AWS.Is direct email sharing is not a feature of CloudWatch?

Least privilege

A would be indeed following the principle of least privilege, but periodic access means we have to do this time and time again when the product manager requests access. B is better

Ans B – its tidy and self-contained, and uses IAM roles as the solution should Others: o Ans A – means personalising access by relying upon the Product Manager’s email – what if he changes his name or a new Product Manager is hired? o Ans C – too lengthy and introduces potential for mistakes o Ans D – not even sure why this is here…

Highlight the point least privilege . No user account or no giving access permissions directly sharing link hence ans is A

A. You can share your CloudWatch dashboards with people who do not have direct access to your AWS account

B. specifically for the product manager+correct dashboard A is Incorrect. If you share the dashboard publicly, then everyone who has the link to the dashboard has these permissions. This practice can be considered high risk.

Please note that B does not meet the principle of least privilege, simply because granting CloudWatchReadOnlyAccess would allow this user to read ANY Dashboard or metrics, not only this specific one.

For anyone thinking it's B. Go and look at the permissions that cloud watch read only access gives you, there is about 20 different ones including from other services e.g. SNS. Sharing the dashboard gives you 4 permissions by default, hence A is the correct answer and actually the recommended method of sharing dashboards. Of course you can then continue to edit the policy after you have shared the dashboard to limit permissions even further, but yes, A is the correct.

In my opinion answer should B because, Product manager need to access this dashboard "Periodically." so its good that create IAM user and grant specific read only access.("Least privileged access which is another requirement)