Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 789 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 789
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (IAM) resources that include an inline policy or “*” in the statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP addresses. The company has AWS Control Tower enabled in its organization in AWS Organizations.

Which solution will meet these requirements?

  • A. Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
  • B. Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
  • C. Use AWS Config to create rules for EC2 and IAM compliance. Configure the rules to run an AWS Systems Manager Session Manager automation to delete a resource when it is not compliant.
  • D. Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the actions lead to noncompliance.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Andy_09 at Feb. 6, 2024, 8:12 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
agg42
Highly Voted 8 months, 3 weeks ago
Selected Answer: A
proactive controls pls see links for both * in inline policy: https://docs.aws.amazon.com/controltower/latest/userguide/iam-rules.html#ct-iam-pr-1-description and for ec2 public IP: https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-9-description
upvoted 8 times
...
jaswantn
Highly Voted 9 months, 1 week ago
Selected Answer: D
Option D... This is preventive control of Control Tower where we use SCP to disallow actions that lead to policy violation.
upvoted 7 times
...
MatAlves
Most Recent 2 months ago
Selected Answer: A
Prevent AWS CloudFormation from deploying IAM resources and EC2 instances based on specific use cases = Control Tower Proactive controls. "Proactive controls are security controls that are designed to prevent the creation of noncompliant resources. For example (...), through AWS CloudFormation, the proactive control can prevent the creation of update of any S3 bucket that has public access enabled." https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/proactive-controls.html
upvoted 2 times
...
88f8032
6 months, 3 weeks ago
Selected Answer: A
this is A
upvoted 1 times
...
Sergiuss95
6 months, 3 weeks ago
Selected Answer: D
Is D, the best way to prevent this actions, is deploying SCPs
upvoted 1 times
...
BBR01
6 months, 3 weeks ago
Selected Answer: D
It is D. You want to prevent the events from happening. Proactive controls check whether resources are compliant with your company policies and objectives, before the resources are provisioned in your accounts. Detective controls detect specific events when they occur and log the action in CloudTrail. Preventive controls prevent actions from occurring. Preventive controls are implemented with SCPs. Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks. https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#how-controls-work
upvoted 1 times
TwinSpark
6 months ago
as stated by you A is correct, Proactive controls are implemented as cloudformation hooks and the resource will not be deployed if not compliants. It is exactly what is asked in question. Using an SCP it is actually a valid solution, but it need to be associated to a specific resource that is not specified. If you associated to root account nobody can deploy a public ip ec2, not only cloudformation
upvoted 1 times
...
...
osmk
8 months, 3 weeks ago
Selected Answer: A
Proactive controls are implemented using AWS CloudFormation hooks within AWS Control Tower. They operate before resources are deployed to determine compliance with activated controls. SCPs are part of AWS Organizations and are used to manage permissions. vs Define specific purposes for implementing controls.https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html
upvoted 5 times
osmk
8 months, 3 weeks ago
SCPs focus on managing permissions at the OU level, while proactive controls in AWS Control Tower help prevent non-compliance during resource provisioning.
upvoted 2 times
...
...
NayeraB
9 months ago
Selected Answer: A
A would provide a proactive solution, also I'm not sure if SCP are made for granular details like creation of EC2 instances with public IP addresses or IAM resources with certain inline policies.
upvoted 2 times
...
Andy_09
9 months, 2 weeks ago
Option D
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel