Question 22
Domain 4: Identity and Access ManagementAn application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported. Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?
Correct answer: C
Explanation
Amazon CloudWatch custom metrics are published with the `cloudwatch:PutMetricData` API action, so the application needs permission to call that operation. Adding only `cloudwatch:putMetricData` to the IAM policy is the least permissive fix because it grants just the single action required to deliver metrics, rather than broader CloudWatch access.
Why each option is right or wrong
A. Add a statement to the IAM policy used by the application to allow `logs:putLogEvents` and `logs:createLogStream`.
Those permissions write to CloudWatch Logs streams, not CloudWatch custom metrics.
B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
FullAccess is broader than necessary and violates least-privilege design.
C. Add a statement to the IAM policy used by the application to allow `cloudwatch:putMetricData`.
CloudWatch custom metrics are submitted through the `PutMetricData` API, and IAM authorization for that call is controlled by the `cloudwatch:PutMetricData` action in the policy. Because the problem states the application had been working until IAM changes were made, the failure is a permissions issue; granting only that single action restores metric delivery without opening any additional CloudWatch capabilities.
D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.
Trust relationships control who can assume a role, not metric-publishing API permissions.