AWS Certified SysOps Administrator – Associate (legacy) — Question 814

An AWS account owner has setup multiple IAM users. One IAM user only has CloudWatch access. He has setup the alarm action which stops the EC2 instances when the CPU utilization is below the threshold limit. What will happen in this case?

Answer options

• A. It is not possible to stop the instance using the CloudWatch alarm
• B. CloudWatch will stop the instance when the action is executed
• C. The user cannot set an alarm on EC2 since he does not have the permission
• D. The user can setup the action but it will not be executed if the user does not have EC2 rights

Correct answer: D

Explanation

An IAM user with CloudWatch permissions is allowed to create and configure alarms with EC2 actions. However, for the action to successfully execute and stop the instance, the user must also have the required EC2 permissions, specifically ec2:StopInstances. Since the user only has CloudWatch access, the alarm will trigger but the stop action will fail to run.