Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?
Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
Explanations:
While allowinglogs:putLogEventsandlogs:createLogStreamwould enable the application to publish logs to CloudWatch Logs, it does not address the publishing of custom metrics to CloudWatch itself. Therefore, this option does not provide the necessary permissions for the application’s primary function of reporting metrics.
Adding theCloudWatchFullAccessmanaged policy would grant extensive permissions to the application, including access to all CloudWatch functionalities. This is not the least permissive solution as it goes beyond what is necessary to publish custom metrics, which would only requirecloudwatch:putMetricData.
Adding a statement to the IAM policy that allowscloudwatch:putMetricDataspecifically grants the necessary permission for the application to publish custom metrics to CloudWatch. This is a targeted and least permissive approach that ensures the application has just enough permissions to perform its required function without granting excessive access.
Adding a trust relationship forcloudwatch.amazonaws.comis not relevant for the application’s ability to publish metrics. Trust relationships are typically used for cross-account access or service role permissions, not for granting specific permissions like metric publishing. Therefore, this does not address the issue at hand.
My best guess is:
Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
I plan that the answer is:
Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.