Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 385 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 385
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts. The development units each deploy their production workloads into a common production account.

Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads.

Which strategy will meet these requirements?

  • A. Create separate OUs in AWS Organizations for each development unit. Assign the created OUs to the company AWS accounts. Create separate SCP with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag that matches the development unit name. Assign the SCP to the corresponding OU.
  • B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developers’ assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit.
  • C. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Create an SCP with an allow action and a StringEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
  • D. Create separate IAM policies for each development unit. For every IAM policy, add an allow action and a StringEquals condition for the DevelopmentUnit resource tag and the development unit name. During SAML federation, use AWS Security Token Service (AWS STS) to assign the IAM policy and match the development unit name to the assumed IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by devalenzuela86 at Nov. 22, 2023, 6:31 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
vibzr2023
Highly Voted 10 months, 3 weeks ago
Answer: B Option A: While OUs and SCPs can provide access control, they are more suitable for broader permission boundaries and might not offer the same granularity as STS session tags and IAM policies.
upvoted 6 times
...
AzureDP900
Most Recent 1 week, 2 days ago
B is right The goal is to prevent developers from managing resources in another development unit's account, but still allow them to manage their own instances. By passing an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation, you can filter the IAM policies assigned to the developers' assumed IAM roles based on their own development unit name. Updating the IAM policy with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit ensures that developers cannot manage resources in another development unit's account. This approach also allows developers to manage their own instances, as long as they are not trying to access resources from another development unit.
upvoted 1 times
...
career360guru
10 months, 2 weeks ago
Selected Answer: B
Option A will not work for common Production Account.
upvoted 4 times
...
shaaam80
11 months, 3 weeks ago
Selected Answer: B
Answer B. A won't work as developer units needs to deploy resources in the common Production account
upvoted 3 times
...
J0n102
11 months, 4 weeks ago
Selected Answer: B
Answer: B
upvoted 2 times
...
siasiasia
11 months, 4 weeks ago
Selected Answer: B
A won't work for the common account which everybody needs access to. B is the way to go.
upvoted 2 times
...
heatblur
12 months ago
Selected Answer: B
B is the best answer. This approach involves tagging federated identity sessions with a DevelopmentUnit attribute and then using IAM policies to deny actions if the DevelopmentUnit tag of the resource does not match the aws:PrincipalTag/DevelopmentUnit. This method directly ties permissions to the federated identity, allowing for finer-grained access control that aligns with your requirements.
upvoted 4 times
...
salazar35
12 months ago
Selected Answer: B
Should be B
upvoted 2 times
...
HunkyBunky
12 months ago
Selected Answer: B
Should be B - https://www.examtopics.com/discussions/amazon/view/60000-exam-aws-certified-solutions-architect-professional-topic-1/
upvoted 2 times
...
devalenzuela86
1 year ago
Selected Answer: A
A for sure
upvoted 3 times
marszalekm
9 months, 2 weeks ago
For sure not, this doesn't address the problem where developers need to deploy in common Production Account.
upvoted 4 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel