AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A company operates separate AWS accounts for application workloads and centralized monitoring. A self-managed Prometheus server runs in an Amazon EKS cluster in the dev account and must forward scraped metrics to an Amazon Managed Service for Prometheus (AMP) workspace that resides in the monitoring account. The solution must avoid static credentials, follow AWS IAM best practices, and require minimal ongoing maintenance. Which approach will meet these requirements?
Create an AMP workspace in the monitoring account. Add an IAM role in that account that trusts the dev account's EKS OIDC provider and grants remote_write permissions to the workspace. Configure an IRSA service account for the Prometheus pod to assume this role and send metrics to the workspace's HTTPS endpoint using SigV4 authentication.
Configure Prometheus to periodically write metric snapshots to an S3 bucket in the dev account, use AWS DataSync to replicate the bucket to the monitoring account, and import the data into the AMP workspace.
Publish metrics from Prometheus to Amazon CloudWatch in the dev account and enable a cross-account CloudWatch metric stream that delivers the metrics to the AMP workspace.
Peer the VPCs and configure the Prometheus server to remote_write to the AMP workspace using a user name and password stored in a Kubernetes secret.
AMP supports cross-account ingestion when the remote_write client (in this case, the Prometheus server running on EKS) signs requests with SigV4 by assuming an IAM role that the AMP workspace trusts. By creating an IAM role in the monitoring account that trusts the EKS cluster's OIDC identity provider in the dev account, the pod can use IAM Roles for Service Accounts (IRSA) to obtain temporary credentials automatically. The Prometheus server is then configured with the workspace's remote_write endpoint and the AWS SigV4 proxy or built-in SigV4 support, eliminating any need for long-lived secrets. The other options either rely on unsupported authentication methods, additional undifferentiated infrastructure, or services that cannot ingest metrics into AMP.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IRSA and how does it work in AWS?
Open an interactive chat with Bash
What is Amazon Managed Service for Prometheus (AMP) and why use it?
Open an interactive chat with Bash
What is SigV4 authentication and why is it used for AMP?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Monitoring, Logging, Analysis, Remediation, and Performance Optimization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .