exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 727 discussion

A company is using AWS Organizations to manage 15 AWS accounts. A solutions architect wants to run advanced analytics on the company's cloud expenditures. The cost data must be gathered and made available from an analytics account. The analytics application runs in a VPC and must receive the raw cost data each night to run the analytics.
The solutions architect has decided to use the Cost Explorer API to fetch the raw data and store the data in Amazon S3 in JSON format. Access to the raw cost data must be restricted to the analytics application. The solutions architect has already created an AWS Lambda function to collect data by using the Cost Explorer
API.
Which additional actions should the solutions architect take to meet these requirements?

  • A. Create an IAM role in the Organizations master account with permissions to use the Cost Explorer API, and establish trust between the role and the analytics account. Update the Lambda function role and add sts:AssumeRole permissions. Assume the role in the master account from the Lambda function code by using the AWS Security Token Service (AWS STS) AssumeRole API call. Create a gateway endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the S3 endpoint.
  • B. Create an IAM role in the analytics account with permissions to use the Cost Explorer API. Update the Lambda function and assign the new role. Create a gateway endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the analytics VPC by using the aws:SourceVpc condition.
  • C. Create an IAM role in the Organizations master account with permissions to use the Cost Explorer API, and establish trust between the role and the analytics account. Update the Lambda function role and add sts:AssumeRole permissions. Assume the role in the master account from the Lambda function code by using the AWS Security Token Service (AWS STS) AssumeRole API call. Create an interface endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the analytics VPC private CIDR range by using the aws:SourceIp condition.
  • D. Create an IAM role in the analytics account with permissions to use the Cost Explorer API. Update the Lambda function and assign the new role. Create an interface endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the S3 endpoint.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
wowznuz
Highly Voted 3 years, 2 months ago
Agreed, A is correct. C could be correct except for the part about restricting access using a bucket policy with aws:SourceIp which leaves A. See https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#vpc-endpoints-s3-bucket-policies
upvoted 17 times
...
beebatov
Highly Voted 3 years, 2 months ago
Answer: A https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html the administrator in the management account can create a role to grant cross-account permissions to a user in a member account as follows: The management account administrator creates an IAM role and attaches a permissions policy to the role that grants permissions to the organization's resources. The management account administrator attaches a trust policy to the role that identifies the member account ID as the Principal who can assume the role. The member account administrator can then delegate permissions to assume the role to any users in the member account. Doing this allows users in the member account to create or access resources in the management account and the organization. The principal in the trust policy can also be an AWS service principal if you want to grant permissions to an AWS service to assume the role.
upvoted 11 times
...
rsn
Most Recent 1 year, 3 months ago
Selected Answer: A
C could have been correct if aws:VpcSourceIp was mentioned instead of aws:SourceIp https://repost.aws/knowledge-center/block-s3-traffic-vpc-ip
upvoted 1 times
...
[Removed]
1 year, 9 months ago
Selected Answer: A
C almost looks right, although you would use Aws:sourceip in a bucket policy when accessing it via internet. Use sourcevpc or sourcevpce when using an interface/gateway endpoint.
upvoted 2 times
...
maxh8086
1 year, 11 months ago
https://docs.aws.amazon.com/cost-management/latest/userguide/ce-api-best-practices.html An IAM user must be granted explicit permission to query the Cost Explorer API. Granting an IAM user access to the Cost Explorer API gives that user query access to any cost and usage data available to that account. B
upvoted 1 times
...
pinhead900
2 years, 2 months ago
answer is A - but still lambda would need to run in VPC for it to be able to use the Gateway endpoint, that part is missing.
upvoted 2 times
...
Andykris
2 years, 3 months ago
C has interface endpoint which is incorrect for S3.
upvoted 3 times
Andykris
2 years, 3 months ago
Correct answer is A
upvoted 1 times
...
...
kangtamo
2 years, 5 months ago
Selected Answer: A
Agree with A. Gateway endpoint for S3.
upvoted 1 times
...
AzureDP900
2 years, 12 months ago
A is correct, S3 gateway endpoint for access within analytics VPC from analytics application. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html
upvoted 2 times
...
andylogan
3 years ago
It's A
upvoted 1 times
...
tgv
3 years ago
AAA --- The cost of the AWS Organization is visible in the master account so B & D are out. A is a more best practice approach. No need for an interface endpoint
upvoted 4 times
...
tgv
3 years, 1 month ago
AAA --- The cost of the AWS Organization is visible in the master account so B & D are out. A is a more best practice approach. No need for an interface endpoint
upvoted 1 times
...
blackgamer
3 years, 1 month ago
A for sure
upvoted 1 times
...
pablobairat
3 years, 1 month ago
It is D. In A, the Lambda does not have permissions to write in the S3 bucket because it is not able to access the endpoint
upvoted 1 times
...
rodolfo2020
3 years, 1 month ago
agreed A is correct cause S3 supported only Gateway and DynamoDB endpoints https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html
upvoted 2 times
...
Kopa
3 years, 1 month ago
going for A
upvoted 1 times
...
WhyIronMan
3 years, 1 month ago
I'll go with A
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...