A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company's product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?
A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
B. Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
C. Create an IAM user for the company's employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
D. Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.
A
技巧:排除明显错误选项,在没有明显错误的选项中选择最合理的选项。
一家公司正在推出一款新应用程序,并将在 Amazon CloudWatch 仪表板上显示应用程序指标。公司的产品经理需要定期访问此仪表板。产品经理没有 AWS 帐户。解决方案架构师必须遵循最小特权原则,为产品经理提供访问权限。
A. 正确。从 CloudWatch 控制台共享仪表板。输入产品经理的电子邮件地址,并完成共享步骤。向产品经理提供一个仪表板的可共享链接。CloudWatch 仪表板共享功能允许用户通过电子邮件地址共享仪表板的只读视图。这种方式不需要为产品经理创建 AWS 账户,只需提供一个可共享的链接即可。产品经理通过链接访问仪表板时,不需要 AWS 凭据,且只能查看仪表板内容,符合最小权限原则。
B. 不正确。专门为产品经理创建一个 IAM 用户,将 CloudWatchReadOnlyAccess AWS 托管策略附加到该用户,与产品经理共享新的登录凭据,共享正确仪表板的浏览器 URL。这种方式需要为产品经理创建 AWS 账户和 IAM 用户,增加了管理复杂性。此外,共享登录凭据存在安全风险。
C. 不正确。为公司员工创建一个 IAM 用户,将 ViewOnlyAccess AWS 托管策略附加到 IAM 用户,与产品经理共享新的登录凭据,要求产品经理导航到 CloudWatch 控制台,并在仪表板部分按名称查找仪表板。这种方式同样需要为产品经理创建 AWS 账户和 IAM 用户,增加了管理复杂性。此外,共享登录凭据存在安全风险。ViewOnlyAcce 策略过于宽泛,因为产品经理只需要访问特定的 CloudWatch 仪表板。
D. 不正确。在公共子网中部署堡垒服务器。当产品经理需要访问仪表板时,启动服务器并共享 RDP 凭据。在堡垒服务器上,确保浏览器配置为使用具有适当权限的缓存 AWS 凭据打开仪表板 URL。这种方式过于复杂,需要部署和管理堡垒服务器。产品经理需要 RDP 访问堡垒服务器,增加了操作复杂性和安全风险。