exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 723 discussion

A company manages hundreds of AWS accounts centrally in an organization in AWS Organizations. The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs, not on the Internet.
What is the MOST operationally efficient way to enforce this requirement?

  • A. Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
  • B. Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
  • C. Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
  • D. Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
oxfordsolutions
Highly Voted 3 years, 2 months ago
correct answer: B
upvoted 18 times
...
AzureDP900
Highly Voted 2 years, 12 months ago
B is right answer https://aws.amazon.com/s3/features/access-points/
upvoted 5 times
...
dev112233xx
Most Recent 1 year, 7 months ago
Selected Answer: B
"The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs" It's not clear from the question if the company want to apply this restriction to only the "product team" or to all members of the organization! But i will select B because it's the easiest approach
upvoted 1 times
...
ccort
1 year, 11 months ago
Selected Answer: B
B for me, this screams for an SCP
upvoted 1 times
...
[Removed]
2 years, 1 month ago
Selected Answer: B
https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/
upvoted 1 times
...
psou7
2 years, 2 months ago
B. "You can control access point usage using AWS Organizations support for AWS SCPs." https://aws.amazon.com/s3/features/access-points/
upvoted 1 times
...
gnic
2 years, 3 months ago
Selected Answer: B
It's B. SCP to restrict permission
upvoted 1 times
...
kadev
2 years, 3 months ago
B. Example Service control policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:CreateAccessPoint", "Resource": "*", "Condition": { "StringNotEquals": { "s3:AccessPointNetworkOrigin": "VPC" } } }] }
upvoted 2 times
...
jyrajan69
2 years, 8 months ago
The question states clearly '. Recently, the firm began allowing product teams to build and administer their own S3 access points under their own accounts' so setting SCP at root level would not allow this, therefore only possible solution is A.
upvoted 3 times
...
cldy
2 years, 12 months ago
B. Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
upvoted 2 times
...
andylogan
3 years, 1 month ago
It's B
upvoted 2 times
...
Kopa
3 years, 1 month ago
good point to use Acess Point with SCP. Im for B
upvoted 2 times
...
tgv
3 years, 1 month ago
BBB ---
upvoted 2 times
...
blackgamer
3 years, 1 month ago
Answer is B
upvoted 2 times
...
WhyIronMan
3 years, 1 month ago
I'll go with B
upvoted 2 times
...
student2020
3 years, 1 month ago
B https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/
upvoted 3 times
...
vimgoru24
3 years, 1 month ago
AWS Org hints it should be B
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...