ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 575 discussion

Exam question from Amazon's AWS-SysOps
Question #: 575
Topic #: 1
[All AWS-SysOps Questions]

A company currently has a single AWS account used by all project teams. The company is migrating to a multi-account strategy, where each project team will have its own account. The AWS IAM configuration must have the same roles and policies for each of the accounts.
What is the MOST efficient way to implement and manage these new requirements?

  • A. Create a portfolio in the AWS Service Catalog for the IAM roles and policies. Have a specific product in the portfolio for each environment, project, and team that can be launched independently by each user.
  • B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts.
  • C. Create an AWS Lambda script that leverages cross-account access to each AWS account, and create all the roles and policies needed using the IAM API and JSON documents stored in Amazon S3.
  • D. Create a single AWS CloudFormation template. Use CloudFormation StackSets to launch the CloudFormation template into each target account from the Administrator account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Service control policies (SCPs) are one type of policy that you can use to manage your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization's access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren't available if your organization has enabled only the consolidated billing features.
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
by karmaah at Dec. 23, 2019, 11:56 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cloud
Highly Voted 2 years, 6 months ago
I can vote for B
upvoted 17 times
Kimle
2 years, 5 months ago
B will limit actions to be done in each account , in won't create consistent IAM users/groups in all accounts
upvoted 1 times
...
...
AWS_Noob
Highly Voted 2 years, 6 months ago
I'll say B It's asking to implement and MANAGE the requirements. Also speaking about roles and policies and services. I'm leaning a lot towards B here.
upvoted 14 times
...
albert_kuo
Most Recent 9 months, 4 weeks ago
Selected Answer: B
AWS Organizations provides a centralized management approach for multiple AWS accounts. It allows you to create a hierarchy of organizational units (OUs) to group and organize accounts based on projects, teams, or other criteria. By using OUs, you can apply consistent policies and controls across multiple accounts, making it easier to manage and enforce security and compliance requirements. With AWS Organizations, you can create a separate OU for each project team's account. Within each OU, you can define service control policies (SCPs) at the account level. SCPs are used to restrict the services that can be accessed and the actions that can be performed within an account. By defining a common set of SCPs for each OU, you can ensure that the same roles and policies are enforced across all accounts in a consistent manner.
upvoted 1 times
...
Ivanyan
1 year, 9 months ago
Selected Answer: B
B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts.
upvoted 1 times
...
fromnowhere
1 year, 11 months ago
Selected Answer: D
I’ll go with D
upvoted 1 times
...
Kimle
2 years, 5 months ago
D using stackset you will work with 1 template that will define IAM users/groups/roles and it will run at all accounts and create IAM resources in a consistent manner , also you can update it anytime and all accounts will be updated in the same manner B is wrong as it will limit what services that can be used , however it won't prevent you from creating totally different users/roles/policies in each account !!
upvoted 3 times
...
dmolasaria
2 years, 5 months ago
"The AWS IAM configuration must have the same roles and policies for each of the accounts." Ans is D because thats how you can deploy roles and policies and manage changes in future. Ans can not be B because there is no way to create resources using SCP and the question didn't say anything about allow/deny.
upvoted 3 times
...
abhishek_m_86
2 years, 6 months ago
B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts. Seem correct
upvoted 3 times
...
MikeyPR
2 years, 6 months ago
B Source: https://aws.amazon.com/blogs/industries/defining-an-aws-multi-account-strategy-for-telecommunications-companies/
upvoted 2 times
...
jackdryan
2 years, 6 months ago
I'll go with B
upvoted 2 times
...
hurryhurry
2 years, 6 months ago
Solution: B Keywords: implement and manage
upvoted 1 times
...
MFDOOM
2 years, 6 months ago
B. Use AWS Organizations to create organizational units (OUs) for each group of projects and each team. Then leverage service control policies at the account level to restrict what services can used and what actions the users, groups, and roles can perform in those accounts
upvoted 1 times
...
waterzhong
2 years, 6 months ago
B。。 Stacksets only creates the policy in the multiple accounts. It does not implement the Multi-Account strategy. Only AWS Organizations can implement a Multi-Account Strategy.
upvoted 1 times
grekh001
2 years, 6 months ago
D The question is not asking how to implement a multi-account strategy. The question is asking how to create IAM roles and policies in multiple accounts. That is done with StackSets.
upvoted 3 times
...
...
ThoseWereTheDays
2 years, 6 months ago
Agree D is right approach: https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/
upvoted 4 times
...
karmaah
2 years, 6 months ago
Ans should be D - Reason ; stacksets
upvoted 9 times
smplysam
2 years, 6 months ago
I agree with D. B - Will not create roles and policies in each account. The best way to create them is through CloudFormation stacksets.
upvoted 8 times
shimmy
2 years, 6 months ago
Stacksets only creates the policy in the multiple accounts. It does not implement the Multi-Account strategy. Only AWS Organizations can implement a Multi-Account Strategy.
upvoted 6 times
Kimle
2 years, 5 months ago
using stackset you will work with 1 template that will define IAM users/groups/roles and it will run at all accounts and create IAM resources in a consistent manner , also you can update it anytime and all accounts will be updated in the same manner
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago