exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 789 discussion

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (IAM) resources that include an inline policy or “*” in the statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP addresses. The company has AWS Control Tower enabled in its organization in AWS Organizations.

Which solution will meet these requirements?

  • A. Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
  • B. Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
  • C. Use AWS Config to create rules for EC2 and IAM compliance. Configure the rules to run an AWS Systems Manager Session Manager automation to delete a resource when it is not compliant.
  • D. Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the actions lead to noncompliance.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
[Removed]
Highly Voted 11 months, 1 week ago
Selected Answer: A
proactive controls pls see links for both * in inline policy: https://docs.aws.amazon.com/controltower/latest/userguide/iam-rules.html#ct-iam-pr-1-description and for ec2 public IP: https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-9-description
upvoted 9 times
...
jaswantn
Highly Voted 11 months, 3 weeks ago
Selected Answer: D
Option D... This is preventive control of Control Tower where we use SCP to disallow actions that lead to policy violation.
upvoted 7 times
...
FlyingHawk
Most Recent 1 week, 5 days ago
Selected Answer: A
Proactive controls check whether resources are compliant with your company policies and objectives, before the resources are provisioned in your accounts. If the resources are out of compliance, they are not provisioned. Proactive controls monitor resources that would be deployed in your accounts by means of AWS CloudFormation templates. For those who are familiar with AWS: In AWS Control Tower preventive controls are implemented with Service Control Policies (SCPs). Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks.
upvoted 1 times
...
LeonSauveterre
1 month, 1 week ago
Selected Answer: A
A - Proactive controls are a feature of AWS Control Tower that prevent noncompliant resources from being deployed by validating configurations before deployment. B - Detective controls can't block deployment. C - If you must monitor to get it right, then something's already wrong before you notice that. D - SCPs can indeed block specific API calls for creating IAM resources with "*" or EC2 instances with public IPs, but can't make the most of AWS CloudFormation stacks. Plus, SCPs apply at the account level and might inadvertently restrict legitimate use cases. Not ideal enough is what I'm saying.
upvoted 1 times
LeonSauveterre
1 month, 1 week ago
And btw, since "The company has AWS Control Tower enabled", option A induces much less overhead than option D.
upvoted 1 times
...
...
MatAlves
4 months, 2 weeks ago
Selected Answer: A
Prevent AWS CloudFormation from deploying IAM resources and EC2 instances based on specific use cases = Control Tower Proactive controls. "Proactive controls are security controls that are designed to prevent the creation of noncompliant resources. For example (...), through AWS CloudFormation, the proactive control can prevent the creation of update of any S3 bucket that has public access enabled." https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/proactive-controls.html
upvoted 3 times
...
88f8032
9 months, 1 week ago
Selected Answer: A
this is A
upvoted 2 times
...
Sergiuss95
9 months, 1 week ago
Selected Answer: D
Is D, the best way to prevent this actions, is deploying SCPs
upvoted 1 times
...
BBR01
9 months, 1 week ago
Selected Answer: D
It is D. You want to prevent the events from happening. Proactive controls check whether resources are compliant with your company policies and objectives, before the resources are provisioned in your accounts. Detective controls detect specific events when they occur and log the action in CloudTrail. Preventive controls prevent actions from occurring. Preventive controls are implemented with SCPs. Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks. https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#how-controls-work
upvoted 1 times
TwinSpark
8 months, 3 weeks ago
as stated by you A is correct, Proactive controls are implemented as cloudformation hooks and the resource will not be deployed if not compliants. It is exactly what is asked in question. Using an SCP it is actually a valid solution, but it need to be associated to a specific resource that is not specified. If you associated to root account nobody can deploy a public ip ec2, not only cloudformation
upvoted 2 times
...
...
osmk
11 months, 1 week ago
Selected Answer: A
Proactive controls are implemented using AWS CloudFormation hooks within AWS Control Tower. They operate before resources are deployed to determine compliance with activated controls. SCPs are part of AWS Organizations and are used to manage permissions. vs Define specific purposes for implementing controls.https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html
upvoted 6 times
osmk
11 months, 1 week ago
SCPs focus on managing permissions at the OU level, while proactive controls in AWS Control Tower help prevent non-compliance during resource provisioning.
upvoted 3 times
...
...
NayeraB
11 months, 3 weeks ago
Selected Answer: A
A would provide a proactive solution, also I'm not sure if SCP are made for granular details like creation of EC2 instances with public IP addresses or IAM resources with certain inline policies.
upvoted 2 times
...
Andy_09
1 year ago
Option D
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago