A data engineer needs to monitor the number of Amazon S3 PUT requests that result in a 403 AccessDenied error. Which CloudWatch metric and dimension should be used?
4xxErrors metric with a filter for 403 provides the count of AccessDenied errors.
Why this answer
The correct answer is C because Amazon S3 CloudWatch metrics include `4xxErrors`, which counts HTTP 4xx status code responses. To filter specifically for 403 AccessDenied errors, you set the `FilterId` dimension to a filter that matches the 403 status code. This allows precise monitoring of unauthorized PUT requests.
Exam trap
The trap here is that candidates confuse `4xxErrors` (which counts all 4xx errors) with a metric that directly counts 403 errors, forgetting that a dimension filter is required to isolate the specific status code.
How to eliminate wrong answers
Option A is wrong because `NumberOfObjects` with `ObjectType` dimension tracks the count of objects per storage class (e.g., Standard, Glacier), not error responses. Option B is wrong because `BucketSizeBytes` with `StorageType` dimension measures bucket storage size, not request errors. Option D is wrong because `AllRequests` with `BucketName` dimension counts all requests (including successful ones) but does not filter by HTTP status code, so it cannot isolate 403 errors.