ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 249 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 249
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A solutions architect is designing a security solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls. Because the individual developers will have AWS account root user-level access to their own accounts, the solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified.
Which action meets these requirements?

  • A. Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user.
  • B. Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
  • C. Create a service control policy (SCP) the prohibits changes to CloudTrail, and attach it the developer accounts.
  • D. Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by sctmp at Nov. 3, 2020, 2:36 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sctmp
Highly Voted 3 years, 7 months ago
It's C. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
upvoted 29 times
...
anpt
Highly Voted 3 years, 6 months ago
CCCCCCCCCCCCCCCCCCCCCC
upvoted 11 times
...
xxichlas
Most Recent 10 months ago
B https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
upvoted 1 times
...
peterabe
2 years, 8 months ago
D When you create an organization trail in the console, or when you enable CloudTrail as a trusted service in Organizations, this creates a service-linked role to perform logging tasks in your organization's member accounts. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
upvoted 1 times
...
xr19970428
2 years, 8 months ago
Selected Answer: B
"Create a service control policy (SCP) that prohibits changes to CloudTrail and attach it to the developer accounts" is incorrect. An SCP can achieve the required outcome of limiting the ability to change the CloudTrail configuration, but the trail must still be created in each account and the SCP must be attached which is not automatic.
upvoted 1 times
...
examJack
3 years ago
Selected Answer: C
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
upvoted 5 times
...
manan728
3 years, 5 months ago
Its B according to Udemy aws-certified-solutions-architect-associate-practice-tests.
upvoted 1 times
manan728
3 years, 5 months ago
sing AWS CloudTrail, a user in a management account can create an organization trail that logs all events for all AWS accounts in that organization. Organization trails are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but can't modify or delete it. By default, member accounts don't have access to the log files for the organization trail in the Amazon S3 bucket. This helps you uniformly apply and enforce your event logging strategy across the accounts in your organization.
upvoted 3 times
...
...
ansarica
3 years, 5 months ago
Service Control Policy provides the facility to assign users permission under the organization root user.
upvoted 2 times
...
Monbots
3 years, 5 months ago
This question came to my exam
upvoted 3 times
...
nickname20212021
3 years, 6 months ago
Passed the exam on 26th June, this question was on my test.
upvoted 9 times
...
syu31svc
3 years, 6 months ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html: "Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines" C is the answer
upvoted 7 times
...
CCNPWILL
3 years, 6 months ago
C. close down the discussion section on this!
upvoted 3 times
...
aguy9
3 years, 6 months ago
Yes it’s definitely C
upvoted 1 times
...
venh123
3 years, 7 months ago
I too feel it's C
upvoted 1 times
...
DarthYoda
3 years, 7 months ago
C. You use SCP's to manage Organizations
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago