ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 182 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 182
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the
AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.
How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

  • A. The organization should not accept the request as sharing the credentials means compromising on security.
  • B. Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.
  • C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.
  • D. The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization's data center.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. The user can create subnets as per the requirement within a VPC. The
VPC also works with IAM and the organization can create IAM users who have access to various VPC services. If an auditor wants to have access to the AWS
VPC to verify the rules, the organization should be careful before sharing any data which can allow making updates to the AWS infrastructure. In this scenario it is recommended that the organization creates an IAM user who will have read only access to the VPC. Share the above mentioned credentials with the auditor as it cannot harm the organization. The sample policy is given below:
{
"Effect":"Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2: DescribeInternetGateways", "ec2:DescribeCustomerGateways", "ec2:DescribeVpnGateways", "ec2:DescribeVpnConnections", "ec2:DescribeRouteTables",
"ec2:DescribeAddresses", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls", "ec2:DescribeDhcpOptions", "ec2:DescribeTags", "ec2:DescribeInstances"
],
"Resource":"*"
}
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
by viet1991 at May 22, 2021, 1:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jyrajan69
Highly Voted 3 years, 2 months ago
In all circumstances when there is an answer that says Role then that is more than likely the answer, AWS Best Practice. And creating a user with perm credentials is not advisable, so definitely B
upvoted 11 times
mnsait
4 months, 4 weeks ago
Exactly. I was quick reading and looking for the words 'IAM Role' and skipping answer that start with 'Create an IAM User'.
upvoted 1 times
...
user0001
2 years, 11 months ago
agree , it should be B
upvoted 1 times
...
AnonymousJhb
3 years, 2 months ago
I presume this auditor is external to the business and is not federated? Thus we start with an IAM user role. "Faraway" means nothing. :(
upvoted 1 times
...
...
amministrazione
Most Recent 8 months, 2 weeks ago
B. Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.
upvoted 1 times
...
NirvanaSNM
12 months ago
Selected Answer: B
Role is better than users since it grants temporary access to auditors, which aligned with AWS Best practice. I would choose B
upvoted 1 times
...
colortex
1 year, 11 months ago
Role is better than users since it grants temporary access to auditors, which aligned with AWS Best practice. I would choose B
upvoted 2 times
...
CloudHandsOn
2 years, 1 month ago
B. The answer should be B. Easy 1..
upvoted 1 times
...
gondohwe
2 years, 8 months ago
the role is violating principle of least priviledge since the auditor needs read-only access to VPC not all EC2 services...C is a better security option
upvoted 1 times
...
bfal
3 years, 1 month ago
Any answer with role is most likely to be correct, as this is preferred over creating an IAM user account. However, what makes Ans B incorrect is in the question. The role would have been excessive if granted, as "all EC2 services", will be permitted too. And the auditor only requires VPC read-only access, and nothing else, so role for all EC2 services will contradict the principles of least privilege, in my view. So C is correct.
upvoted 4 times
...
cldy
3 years, 4 months ago
C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.
upvoted 1 times
...
tiana528
3 years, 5 months ago
Selected Answer: C
C. Because C can work, it is simple and straightforward. B creates a role which is not necessary.
upvoted 2 times
...
01037
3 years, 7 months ago
Yes it is C
upvoted 1 times
...
viet1991
3 years, 7 months ago
C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago