A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company's product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?
A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
B. Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
C. Create an IAM user for the company's employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
D. Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.
A
技巧:排除明顯錯誤選項,在沒有明顯錯誤的選項中選擇最合理的選項。
一家公司正在推出一款新應用程序,并將在 Amazon CloudWatch 儀表板上顯示應用程序指標。公司的產(chǎn)品經(jīng)理需要定期訪問此儀表板。產(chǎn)品經(jīng)理沒有 AWS 帳戶。解決方案架構師必須遵循最小特權原則,為產(chǎn)品經(jīng)理提供訪問權限。
A. 正確。從 CloudWatch 控制臺共享儀表板。輸入產(chǎn)品經(jīng)理的電子郵件地址,并完成共享步驟。向產(chǎn)品經(jīng)理提供一個儀表板的可共享鏈接。CloudWatch 儀表板共享功能允許用戶通過電子郵件地址共享儀表板的只讀視圖。這種方式不需要為產(chǎn)品經(jīng)理創(chuàng)建 AWS 賬戶,只需提供一個可共享的鏈接即可。產(chǎn)品經(jīng)理通過鏈接訪問儀表板時,不需要 AWS 憑據(jù),且只能查看儀表板內(nèi)容,符合最小權限原則。
B. 不正確。專門為產(chǎn)品經(jīng)理創(chuàng)建一個 IAM 用戶,將 CloudWatchReadOnlyAccess AWS 托管策略附加到該用戶,與產(chǎn)品經(jīng)理共享新的登錄憑據(jù),共享正確儀表板的瀏覽器 URL。這種方式需要為產(chǎn)品經(jīng)理創(chuàng)建 AWS 賬戶和 IAM 用戶,增加了管理復雜性。此外,共享登錄憑據(jù)存在安全風險。
C. 不正確。為公司員工創(chuàng)建一個 IAM 用戶,將 ViewOnlyAccess AWS 托管策略附加到 IAM 用戶,與產(chǎn)品經(jīng)理共享新的登錄憑據(jù),要求產(chǎn)品經(jīng)理導航到 CloudWatch 控制臺,并在儀表板部分按名稱查找儀表板。這種方式同樣需要為產(chǎn)品經(jīng)理創(chuàng)建 AWS 賬戶和 IAM 用戶,增加了管理復雜性。此外,共享登錄憑據(jù)存在安全風險。ViewOnlyAcce 策略過于寬泛,因為產(chǎn)品經(jīng)理只需要訪問特定的 CloudWatch 儀表板。
D. 不正確。在公共子網(wǎng)中部署堡壘服務器。當產(chǎn)品經(jīng)理需要訪問儀表板時,啟動服務器并共享 RDP 憑據(jù)。在堡壘服務器上,確保瀏覽器配置為使用具有適當權限的緩存 AWS 憑據(jù)打開儀表板 URL。這種方式過于復雜,需要部署和管理堡壘服務器。產(chǎn)品經(jīng)理需要 RDP 訪問堡壘服務器,增加了操作復雜性和安全風險。