ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 209 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 209
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company's organization in AWS Organizations has a single OU. The company runs Amazon EC2 instances in the OU accounts. The company needs to limit the use of each EC2 instance’s credentials to the specific EC2 instance that the credential is assigned to. A DevOps engineer must configure security for the EC2 instances.

Which solution will meet these requirements?

  • A. Create an SCP that specifies the VPC CIDR block. Configure the SCP to check whether the value of the aws:VpcSourcelp condition key is in the specified block. In the same SCP check, check whether the values of the aws:EC2InstanceSourcePrivatelPv4 and aws:SourceVpc condition keys are the same. Deny access if either condition is false. Apply the SCP to the OU.
  • B. Create an SCP that checks whether the values of the aws:EC2InstanceSourceVPC and aws:SourceVpc condition keys are the same. Deny access if the values are not the same. In the same SCP check, check whether the values of the aws:EC2InstanceSourcePrivateIPv4 and aws:VpcSourceIp condition keys are the same. Deny access if the values are not the same. Apply the SCP to the OU.
  • C. Create an SCP that includes a list of acceptable VPC values and checks whether the value of the aws:SourceVpc condition key is in the list. In the same SCP check, define a list of acceptable IP address values and check whether the value of the aws:VpcSourceIp condition key is in the list. Deny access if either condition is false. Apply the SCP to each account in the organization.
  • D. Create an SCP that checks whether the values of the aws:EC2InstanceSourceVPC and aws:VpcSourceIp condition keys are the same. Deny access if the values are not the same. In the same SCP check, check whether the values of the aws:EC2InstanceSourcePrivateIPv4 and aws:SourceVpc condition keys are the same. Deny access if the values are not the same. Apply the SCP to each account in the organization.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Arnaud92 at Feb. 7, 2024, 5:39 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
devakram
Highly Voted 1 year ago
Selected Answer: B
B obviously : https://aws.amazon.com/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
upvoted 5 times
...
RajAWSDevOps007
Most Recent 4 months, 1 week ago
Answer is B here. However, pls note SCPs can be applied directly to member accounts as well- https://docs.aws.amazon.com › orgs_manage_policies_scps
upvoted 1 times
...
6ef9a08
9 months, 4 weeks ago
NOT C,D: "Apply the SCP to each account in the organization" - SCPs apply to OUs, not accounts
upvoted 1 times
...
fdoxxx
1 year, 1 month ago
Selected Answer: B
B is the most appropriate solution: Option A introduces unnecessary complexity with multiple conditions and may not provide the intended restriction. Option C suggests creating an SCP with lists of acceptable values, but it might be challenging to maintain and is less straightforward. Option D has the same issues as option A, introducing complexity with multiple conditions.
upvoted 4 times
...
Diego1414
1 year, 1 month ago
Selected Answer: B
Answer: B - aws:EC2InstanceSourceVPC = aws:SourceVpc and aws:EC2InstanceSourcePrivateIPv4 = aws:VpcSourceIp https://aws.amazon.com/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
upvoted 4 times
...
thanhnv142
1 year, 2 months ago
Selected Answer: B
B is correct: aws:EC2InstanceSourceVPC and aws:SourceVpc must be the same. Additionally, aws:EC2InstanceSourcePrivateIPv4 and aws:VpcSourceIp must be the same A: irrelevant C: <define a list of acceptable IP address values> is not correct D: <aws:EC2InstanceSourceVPC and aws:VpcSourceIp> is incorrect
upvoted 4 times
thanhnv142
1 year, 2 months ago
Finally, I 've made it to the last one
upvoted 2 times
...
...
vortegon
1 year, 2 months ago
Selected Answer: B
https://aws.amazon.com/fr/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
upvoted 2 times
...
Chelseajcole
1 year, 2 months ago
B. checks whether the values of the aws:EC2InstanceSourceVPC and aws:SourceVpc condition keys are the same and Apply the SCP to the OU.
upvoted 1 times
...
Arnaud92
1 year, 2 months ago
Source: https://aws.amazon.com/fr/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago