An AWS account owner has setup multiple IAM users. One IAM user only has CloudWatch access. He has setup
the alarm action which stops the EC2 instances when the CPU utilization is below the threshold limit. What will
happen in this case?
A.
It is not possible to stop the instance using the CloudWatch alarm
B.
CloudWatch will stop the instance when the action is executed
C.
The user cannot set an alarm on EC2 since he does not have the permission
D.
The user can setup the action but it will not be executed if the user does not have EC2 rights
Explanation:
Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one
or more actions based on the value of the metric relative to a given threshold over a number of time periods.
The user can setup an action which stops the instances when their CPU utilization is below a certain threshold
for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action.
If the IAM user has read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create
an alarm. However, the stop or terminate actions will not be performed on the Amazon EC2 instance.
D
I think the answer is C.
I created a user with CloudWatch full access only and tried to setup an alarm with EC2 action – it was not possible to save the alarm, due to permission error.
Ans is C!
Unable to create the alarm action to terminate the EC2 instance if there is no permission to EC2
D is correct answer
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html :
If you have read/write permissions for Amazon CloudWatch but not for Amazon EC2, you can still create an alarm but the stop or terminate actions won’t be performed on the instance.
D
d
D is Correct:
“If you have read/write permissions for Amazon CloudWatch but not for Amazon EC2, you can still create an alarm but the stop or terminate actions won’t be performed on the instance. However, if you are later granted permission to use the associated Amazon EC2 APIs, the alarm actions you created earlier will be performed. For more information, see Permissions and Policies in the IAM User Guide.”
D
D.
Alarm can be set but it won’t be executed because of no EC2 permissions.