ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 127 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 127
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

An organization has 4 people in the IT operations team who are responsible to manage the AWS infrastructure. The organization wants to setup that each user will have access to launch and manage an instance in a zone which the other user cannot modify.
Which of the below mentioned options is the best solution to set this up?

  • A. Create four AWS accounts and give each user access to a separate account.
  • B. Create an IAM user and allow them permission to launch an instance of a different sizes only.
  • C. Create four IAM users and four VPCs and allow each IAM user to have access to separate VPCs.
  • D. Create a VPC with four subnets and allow access to each subnet for the individual IAM user.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. The user can create subnets as per the requirement within a VPC. The
VPC also work with IAM and the organization can create IAM users who have access to various VPC services. The organization can setup access for the IAM user who can modify the security groups of the VPC. The sample policy is given below:
{
"Version": "2012-10-17",
"Statement":
[{ "Effect": "Allow",
"Action": "ec2:RunInstances", "Resource":
["arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:subnet/subnet-1a2b3c4d", "arn:aws:ec2:region:account:network-interface/*",
"arn:aws:ec2:region:account:volume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/sg-123abc123" ] }]
}
With this policy the user can create four subnets in separate zones and provide IAM user access to each subnet.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
by Mkumar at May 19, 2020, 7:01 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ganfeng
Highly Voted 3 years, 7 months ago
though I agree answer D, it might also really depends on what the "zone" means in question? Are we sure this zone is 100% related to AZ? I mean you can "zone" it to production/Dev etc VPC?
upvoted 6 times
TerrenceC
3 years, 7 months ago
Here is my understanding. The Zone here could be meant for an AZ or a VPC in that it is more about a concept. For instance, if the answer C replaces its condition with "Create four IAM users and four VPCs and each IAM user could only access its VPC" then it would be the right option accordingly.
upvoted 1 times
newme
3 years, 6 months ago
Even so, how does it prevent user A deleting user B's instances?
upvoted 1 times
01037
3 years, 5 months ago
D. You can limit access of each IAM user to its own subnet. ACD all work, but D is better.
upvoted 4 times
...
...
...
...
madmike123
Most Recent 4 months, 1 week ago
Selected Answer: A
Another oddly written question. Answers C & D talk specifically about network permissions and while accurate, only A prevents any operations folks from modifying an instance. This includes network configuration as well as other changes like restarting an instance or updating other attributes.
upvoted 1 times
...
amministrazione
8 months, 2 weeks ago
D. Create a VPC with four subnets and allow access to each subnet for the individual IAM user.
upvoted 1 times
...
TigerInTheCloud
2 years, 4 months ago
Selected Answer: D
A, B, and C do not have anything to do with the "zone". D is the only answer which makes some sense. The better answer should be restricted by AZ . There is ec2:AvailabilityZone IAM policy condition key. Refer to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-policy-keys and https://blog.shikisoft.com/iam-policy-conditions-restrict-access-by-availability-zones/
upvoted 1 times
TigerInTheCloud
2 years, 4 months ago
So if "size" is a typo of "zone", then B is the answer.
upvoted 1 times
...
...
hilft
2 years, 9 months ago
This is a terrible question. Answers aren't practical at all. At least... D works. D
upvoted 1 times
...
wind
3 years, 6 months ago
D is right. You can launch instances into a specific subnet by using IAM policy.
upvoted 2 times
Clandestine60
3 years, 3 months ago
D is right. "Launch instances into a specific subnet The following policy grants users permission to launch instances into a specific subnet, and to use a specific security group in the request. The policy does this by specifying the ARN for the subnet and the ARN for the security group. If users attempt to launch an instance into a different subnet or using a different security group, the request will fail (unless another policy or statement grants users permission to do so). The policy also grants permission to use the network interface resource. When launching into a subnet, the RunInstances request creates a primary network interface by default, so the user needs permission to create this resource when launching the instance." https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html
upvoted 3 times
...
...
kmaiti
3 years, 6 months ago
C& D are applicable answers but D is more suitable.
upvoted 1 times
...
newme
3 years, 6 months ago
I think only A meets the requirements. This is a perfect use case for Attribute-based access control (ABAC), but no such answers.
upvoted 3 times
consultsk
3 years, 6 months ago
I also think A is correct. In D, it can be a private or public subnet, and it does not make sense to control by subnet. At the account level, they have more power and control and the question says at an organization level. An organization can have multiple accounts and each person can manage/lead an account. I will go by A
upvoted 1 times
...
...
Mkumar
3 years, 7 months ago
Ans is A
upvoted 1 times
Mkumar
3 years, 7 months ago
its typo should be D with tags
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago