ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 245 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 245
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has five development teams that have each created five AWS accounts to develop and host applications. To track spending, the development teams log in to each account every month, record the current cost from the AWS Billing and Cost Management console, and provide the information to the company's finance team.

The company has strict compliance requirements and needs to ensure that resources are created only in AWS Regions in the United States. However, some resources have been created in other Regions.

A solutions architect needs to implement a solution that gives the finance team the ability to track and consolidate expenditures for all the accounts. The solution also must ensure that the company can create resources only in Regions in the United States.

Which combination of steps will meet these requirements in the MOST operationally efficient way? (Choose three.)

  • A. Create a new account to serve as a management account. Create an Amazon S3 bucket for the finance team. Use AWS Cost and Usage Reports to create monthly reports and to store the data in the finance team's S3 bucket.
  • B. Create a new account to serve as a management account. Deploy an organization in AWS Organizations with all features enabled. Invite all the existing accounts to the organization. Ensure that each account accepts the invitation.
  • C. Create an OU that includes all the development teams. Create an SCP that allows the creation of resources only in Regions that are in the United States. Apply the SCP to the OU.
  • D. Create an OU that includes all the development teams. Create an SCP that denies the creation of resources in Regions that are outside the United States. Apply the SCP to the OU.
  • E. Create an IAM role in the management account. Attach a policy that includes permissions to view the Billing and Cost Management console. Allow the finance team users to assume the role. Use AWS Cost Explorer and the Billing and Cost Management console to analyze cost.
  • F. Create an IAM role in each AWS account. Attach a policy that includes permissions to view the Billing and Cost Management console. Allow the finance team users to assume the role.
Show Suggested Answer Hide Answer
Suggested Answer: BDE 🗳️
by gd1 at June 24, 2023, 3:08 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SmileyCloud
Highly Voted 1 year, 4 months ago
Selected Answer: BDE
B - You need AWS Orgs to manage all other accts D - You need to deny creating resources E - You create the role in the mgmt acct not in each AWS acct. That's the point of the mgmt acct.
upvoted 9 times
Arnaud92
1 year, 2 months ago
I'm not sure for E. The management account in AWS Organisations is to manage membres account and policies but not roles. I'll go for F instead.
upvoted 2 times
...
...
SkyZeroZx
Highly Voted 1 year, 3 months ago
Selected Answer: BDE
Remember SCP Only deny not allow ( in definition )
upvoted 8 times
...
red_panda
Most Recent 5 months, 1 week ago
Selected Answer: BDE
Answer is BDE withouth any doubt!
upvoted 2 times
...
Wardove
8 months, 3 weeks ago
Selected Answer: BDE
Not C because there is no word about default SCP removal. FullAWSAccess - without an explicit deny SCP would not suffice the requirement
upvoted 2 times
...
veyisceylan
8 months, 3 weeks ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html Notes An Allow statement in an SCP permits the Resource element to only have a "*" entry. An Allow statement in an SCP can't have a Condition element at all. Therefore Option C is not possible
upvoted 1 times
...
GoKhe
10 months, 1 week ago
BCE and it aligns with what ChatGpt thinks
upvoted 1 times
...
duriselvan
10 months, 3 weeks ago
ABD -ANS A. Create a new account to serve as a management account. Create an Amazon S3 bucket for the finance team. Use AWS Cost and Usage Reports to create monthly reports and to store the data in the finance team's S3 bucket. B. Create a new account to serve as a management account. Deploy an organization in AWS Organizations with all features enabled. Invite all the existing accounts to the organization. Ensure that each account accepts the invitation. D. Create an OU that includes all the development teams. Create an SCP that denies the creation of resources in Regions that are outside the United States. Apply the SCP to the OU.
upvoted 2 times
...
shaaam80
11 months ago
Selected Answer: BDE
Answer - BDE
upvoted 1 times
...
career360guru
11 months, 1 week ago
Selected Answer: BDE
Explicit Deny is more strict than Explicit Allow - As member account can add allow creation of resources in other regions.
upvoted 6 times
...
NikkyDicky
1 year, 3 months ago
Selected Answer: BDE
BDE - going with the crowd, although C seems like it'd work too. Is the issue that it can be overriden at account level?
upvoted 1 times
Tofu13
11 months, 2 weeks ago
Not exactly overwritten. If you allow the creation in certain regions in the SCP, all member accounts are allowed to create instances in the region. But each member account can add IAM policies to allow to create them in different regions as well, unless there is an explicit deny. Therefore only D works.
upvoted 2 times
...
...
Christina666
1 year, 3 months ago
Selected Answer: BDE
BDE Org -> enable all feature-> invite all member account-> member account accept invitation Org-> mgmt account-> create IAM role to access to member account-> login member account assume this role to view billings
upvoted 1 times
...
SkyZeroZx
1 year, 3 months ago
Selected Answer: BDE
For C, do an allow statement with StringEqual, for D, do a deny statement with StringNotEqual of US region. So C & D are both right. Cost Explorer has all the reports, creating a S3 is NOT operationally efficient – A is out IAM role is needed to view billing - E
upvoted 1 times
...
javitech83
1 year, 4 months ago
Selected Answer: BDE
correct answer is BDE
upvoted 1 times
...
easytoo
1 year, 4 months ago
b-c-e...b-c-e
upvoted 1 times
...
nexus2020
1 year, 4 months ago
Selected Answer: BDE
For C, do an allow statement with StringEqual, for D, do a deny statement with StringNotEqual of US region. So C & D are both right. Cost Explorer has all the reports, creating a S3 is NOT operationally efficient – A is out IAM role is needed to view billing - E
upvoted 2 times
...
PhuocT
1 year, 4 months ago
B, D an E
upvoted 1 times
...
ozelllll
1 year, 4 months ago
Selected Answer: BDF
it's BDF
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago