AWS Certified Security – Specialty — Question 56

An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

Answer options

• A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
• B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
• C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
• D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.

Correct answer: C

Explanation

The correct answer is C, as adding permission for cloudwatch:putMetricData specifically allows the application to publish metrics without granting unnecessary access. Option A is incorrect because it pertains to logging permissions, not metric publishing. Option B is overly permissive since it grants full access to CloudWatch, which is more than what is needed. Option D relates to trust relationships and does not directly enable metric publishing.