Which method would be the best way to authenticate your CloudWatch PUT request?

seenagapeFebruary 13, 2016

You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?

A.
Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to
launch instances in that role

B.
Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to
inject the userscredentials into the instance User Data

C.
Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances
from the Auto Scaling group

D.
Create an IAM user with the PutMetricData permission and put the credentials in a private repository and
have applications on the server pull the credentials as needed

13 Comments on “Which method would be the best way to authenticate your CloudWatch PUT request?”

BigMike says:

June 21, 2016 at 8:26 pm

I suspect the correct Answer is C. Why bother to create a new IAM role just because of a custom metric? We would have tons of roles every time we have new metrics. Also refer to

http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html

More practical to be done on policy level

0

0

Reply
1. venkat sai says:
  
  July 2, 2016 at 1:23 am
  
  How will you allow the metric in instances ? Doesn’t the role associated with instance can have restrictions in accessing the metric data. I agree with Juan.
  
  0
  
  0
  
  Reply
2. JK says:
  
  October 10, 2016 at 8:01 pm
  
  C is incorrect. Instances in the auto scaling group would be constantly changing, you would not be able to keep your policy up to date.
  
  In any case you cannot apply a policy to a cloud watch metric. So the point is moot.
  
  A is absolutely correct.
  
  0
  
  0
  
  Reply
3. BDA says:
  
  February 15, 2017 at 5:48 pm
  
  A “Access to Amazon CloudWatch requires credentials.” Credentials are best distributed as policies associated with roles. That way the EC2 instace can created endles custom metrics with one role.
  
  D just doesn’t make sense
  
  0
  
  0
  
  Reply
Juan Mesa says:

June 27, 2016 at 4:16 am

The correct answer is A. Creates an IAM role is always the best practice to give permissions to EC2 instances in order to interact with other AWS services.

0

0

Reply
Chef says:

July 15, 2016 at 8:13 pm

I think the correct answer is B. We need to do a few things here to make a custom metric work.

AWS_CREDENTIAL_FILE or
both: EC2_PRIVATE_KEY and EC2_CERT

we need to enter this into the instance upon launch with a user data script.

as-create-launch-config

0

0

Reply
raj says:

July 20, 2016 at 6:08 pm

IAM role is the right answer as thats the way to allocate permission for AWS services to interact with EC2 in a secured way.

0

0

Reply
1. BDA says:
  
  February 15, 2017 at 5:49 pm
  
  You R correct sir, the answer is A
  
  0
  
  0
  
  Reply
Ashley says:

November 24, 2016 at 7:16 am

A

0

0

Reply
nyara says:

December 11, 2016 at 6:00 am

a

0

0

Reply
NikiHeat says:

February 12, 2017 at 11:30 pm

A

0

0

Reply
dong says:

February 19, 2017 at 9:56 pm

A

0

0

Reply
Joshua Kim says:

August 12, 2017 at 1:06 am

The correct answer is A.

0

0

Reply