AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
Your company maintains a central monitoring account (us-east-1) with CloudWatch dashboards. You must add widgets that show the CPUUtilization metric of EC2 instances in two production accounts (prod-01, prod-02) in us-west-2. Developers in the monitoring account must be able to view dashboards via console or CLI but must not create, modify, or delete them. No extra infrastructure may be deployed. Which approach meets these needs with minimal operational effort?
Enable CloudWatch cross-account observability to link the two production accounts as source accounts, then create the widgets using the account and Region qualifier (for example, accountId=prod-01). Attach an IAM policy to the developers' role that permits GetDashboard, ListDashboards, GetMetricData, and ListMetrics but not PutDashboard.
Create a CloudWatch dashboard in each production account and share them with the monitoring account by using AWS Resource Access Manager. Give developers the ReadOnlyAccess AWS-managed policy.
Export the CPUUtilization metrics to Amazon S3 with an EventBridge rule, load the data into Amazon QuickSight, and build a cross-account analysis dashboard. Assign developers to a QuickSight reader group.
Generate a CloudWatch dashboard snapshot for each production account and embed the PNG URLs in a new dashboard in the monitoring account. Restrict developers to Amazon S3 read-only access so they cannot update dashboards.
CloudWatch cross-account observability lets you visualize metrics that reside in other AWS accounts without moving data. You designate the monitoring account as a monitoring account and link the prod-01 and prod-02 accounts as source accounts. CloudWatch automatically grants the monitoring account permission to query GetMetricData and ListMetrics in each source account, so the dashboard widgets can reference metrics by specifying the account ID and Region.
To satisfy the security constraint, attach an IAM policy to the developers' role in the monitoring account that allows only cloudwatch:GetDashboard, cloudwatch:ListDashboards, cloudwatch:GetMetricData, and cloudwatch:ListMetrics. The policy omits cloudwatch:PutDashboard, which prevents users from creating, editing, or deleting dashboards.
Options that rely on CloudWatch dashboard snapshots or AWS Resource Access Manager do not allow live cross-account metrics. Exporting metrics to S3 and building a QuickSight dashboard adds unnecessary infrastructure and does not use CloudWatch dashboards, while embedding metrics in Amazon Managed Grafana exceeds the stated scope and cost.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does CloudWatch cross-account observability work?
Open an interactive chat with Bash
What permissions are needed to restrict actions on CloudWatch dashboards?
Open an interactive chat with Bash
What is the difference between CloudWatch dashboards and snapshots?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Monitoring, Logging, Analysis, Remediation, and Performance Optimization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .