ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 872 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 872
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A development team uses multiple AWS accounts for its development, staging, and production environments. Team members have been launching large Amazon EC2 instances that are underutilized. A solutions architect must prevent large instances from being launched in all accounts.

How can the solutions architect meet this requirement with the LEAST operational overhead?

  • A. Update the IAM policies to deny the launch of large EC2 instances. Apply the policies to all users.
  • B. Define a resource in AWS Resource Access Manager that prevents the launch of large EC2 instances.
  • C. Create an IAM role in each account that denies the launch of large EC2 instances. Grant the developers IAM group access to the role.
  • D. Create an organization in AWS Organizations in the management account with the default policy. Create a service control policy (SCP) that denies the launch of large EC2 instances, and apply it to the AWS accounts.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Hkayne at April 19, 2024, 2:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Hkayne
Highly Voted 10 months ago
Selected Answer: D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
upvoted 6 times
...
LeonSauveterre
Most Recent 1 month, 2 weeks ago
Selected Answer: D
A - You would need to update and maintain separate IAM policies in each account, which is too much trouble. B - AWS Resource Access Manager (RAM) is primarily for resource sharing and does not directly restrict resource launches. C - IAM roles are better suited for granting access rather than imposing restrictions. You would also need to create and maintain these roles in every account, even more trouble than option A. D - SCPs are powerful here because they apply at the root account level, meaning that even if a developer has direct IAM permissions to launch large instances, the SCP will override and prevent it. Also, there's no need to create or manage multiple IAM policies or roles across accounts. Once the SCP is defined and applied, it enforces the restriction automatically.
upvoted 1 times
...
744fdad
6 months, 2 weeks ago
why is it not A? If the goal is only to prevent launch of EC2s
upvoted 2 times
78b9037
2 months ago
Updating IAM policies must be done separately in each account, and policies for each user must be maintained, which will cause high operation overhead, so D.
upvoted 1 times
...
...
example_
7 months, 1 week ago
Selected Answer: D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago