Which solution will meet these requirements?
Share the dashboard from the CloudWatch console. Enter the product manager’s email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
Create an IAM user for the company’s employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.
Explanations:
CloudWatch provides a feature to share dashboards with users outside of the AWS account by generating a shareable link. This approach follows the principle of least privilege by allowing access to only the specific dashboard, without requiring an AWS account or additional permissions for the product manager.
Creating an IAM user and attaching the CloudWatchReadOnlyAccess policy provides more access than necessary, as it allows full read-only access to all CloudWatch resources, not just the specific dashboard. This does not align with the principle of least privilege and introduces unnecessary management of IAM user credentials.
Assigning the ViewOnlyAccess policy to a general IAM user allows broad read-only access to many AWS services, not just CloudWatch, which violates the principle of least privilege. Additionally, this approach requires the product manager to navigate the AWS console, which adds complexity and may expose more information than needed.
Using a bastion server is a complex and inefficient solution for accessing a CloudWatch dashboard. It requires managing a server and RDP credentials, adds operational overhead, and exposes AWS resources unnecessarily. This solution does not follow the principle of least privilege or provide a user-friendly experience.