AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 326

An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access, but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is below the threshold limit. When an EC2 instance's CPU Utilization rate drops below the threshold John has set, what will happen and why?

Answer options

• A. Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.
• B. CloudWatch will stop the instance when the action is executed
• C. Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm
• D. Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access through IAM policies.

Correct answer: D

Explanation

While CloudWatch supports alarm actions that can stop or terminate EC2 instances, the execution of these actions relies on the permissions of the IAM user who set them up. Because John lacks the necessary EC2 permissions in his IAM policy, the execution will fail and the instance will not be stopped. Therefore, John can create the alarm, but the execution of the stop action will be blocked.