Question #1046
A company is deploying a new service and wants to monitor its performance using an Amazon CloudWatch dashboard. An external auditor needs temporary access to this dashboard to review metrics. The auditor does not have an AWS account. The solutions architect must ensure the auditor can access the dashboard with the least privileges possible.
Which solution meets these requirements?
Share the dashboard from the CloudWatch console. Enter the auditor's email address, complete the sharing steps, and provide a shareable link for the dashboard to the auditor.
Create an IAM user specifically for the auditor. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the login credentials and dashboard URL with the auditor.
Create an IAM user for external reviewers. Attach the ViewOnlyAccess AWS managed policy to the user. Share the credentials and instruct the auditor to locate the dashboard in the CloudWatch console.
Deploy a VPN connection to the company's VPC. Grant the auditor VPN access and provide the dashboard URL, assuming the auditor's device has permissions to access internal AWS resources.
Explanation
Answer A is correct because:
1. No AWS Account Required: The auditor does not have an AWS account, and sharing the dashboard via email/link (A) avoids creating IAM users (B, C) or VPN access (D).
2. Least Privilege: Shared dashboards are read-only by default, ensuring the auditor cannot modify resources.
3. Temporary Access: The link can be revoked later.
Other options fail because:
- B/C: Require IAM user creation and credential sharing, which is insecure and unnecessary.
- D: Overly complex (VPN setup) and grants broader network access than needed.
Key Points: Use CloudWatch dashboard sharing for external, temporary, read-only access without AWS accounts.
Answer
The correct answer is: A