AWS Certified SysOps Administrator – Associate (legacy) — Question 629

You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?

Answer options

• A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
• B. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the userscredentials into the instance User Data
• C. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
• D. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

Correct answer: A

Explanation

Using an IAM role with an instance profile is the AWS-recommended security best practice because it provides temporary security credentials to the EC2 instances automatically, eliminating the need to manage or store long-term secrets. Storing IAM user credentials in User Data or a private repository introduces unnecessary security risks. Additionally, CloudWatch does not support resource-based policies for metrics to allow direct access from instances.