CloudWatch Event Bus Permissions
Question
Your company has a DevOps team to manage AWS accounts used by all the other teams within the company.
In the master AWS account, several CloudWatch Events Rules are established where the CloudWatch Events happening in other AWS accounts can be sent to.
In order to do this, permissions have been configured in the default CloudWatch Event Bus of the master account in region ap-southeast-2
Which entities can be added so that they are permitted to send events to CloudWatch Event Bus in the master account? (Select TWO.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - B, C.
Please refer to.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.htmlfor the details of sending and receiving CloudWatch Events between AWS Accounts.
Option A is incorrect: Because only individual AWS accounts or organizations can be granted access.
Option B is CORRECT: Because when an organization is specified, all accounts in the organization are permitted.
Option C is CORRECT: Because Everybody can be selected which includes all accounts:
Option D is incorrect: Because the sender and receiver should belong to the same region.
Refer to the above link.
Option E is incorrect: Similar to.
Option A.
IAM group is invalid.
Sure, I'd be happy to help!
The question is asking which entities can be added to the permissions of the default CloudWatch Event Bus in the master account, so that they are permitted to send events to the CloudWatch Event Bus. Let's go through the options one by one:
A. Certain IAM users in the same AWS Organization. This option suggests that certain IAM users in the same AWS Organization can be added to the permissions of the default CloudWatch Event Bus to send events to the master account. This is a possible solution, as you can add specific IAM users to the policy that allows them to send events to the Event Bus.
B. Another AWS Organization. This option suggests that another AWS Organization can be added to the permissions of the default CloudWatch Event Bus to send events to the master account. This is not possible, as Event Bus policies can only be attached to accounts within the same AWS Organization.
C. Everybody (all AWS accounts). This option suggests that every AWS account can be added to the permissions of the default CloudWatch Event Bus to send events to the master account. While it's technically possible to add a "wildcard" in the policy to allow every AWS account to send events, it's not a best practice. It's recommended to only add specific accounts or IAM users to the policy.
D. An AWS account which creates a CloudWatch Events rule in region ap-south-1 and sends events to the master account. This option suggests that an AWS account which creates a CloudWatch Events rule in region ap-south-1 can be added to the permissions of the default CloudWatch Event Bus to send events to the master account. This is possible, as you can add the specific AWS account ID to the policy that allows them to send events to the Event Bus.
E. IAM groups. This option suggests that IAM groups can be added to the permissions of the default CloudWatch Event Bus to send events to the master account. While it's technically possible to add IAM groups to the policy, it's not recommended as it can make the policy more difficult to manage. It's better to add specific IAM users to the policy.
So, the two options that could be added to the permissions of the default CloudWatch Event Bus in the master account to send events to the Event Bus are:
- Certain IAM users in the same AWS Organization.
- An AWS account which creates a CloudWatch Events rule in region ap-south-1 and sends events to the master account.