exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 765 discussion

A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts. The development units each deploy their production workloads into a common production account.
Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads.
Which strategy will meet these requirements?

  • A. Create separate OUs in AWS Organizations for each development unit. Assign the created OUs to the company AWS accounts. Create separate SCPs with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag that matches the development unit name. Assign the SCP to the corresponding OU.
  • B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developers' assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/ DevelopmentUnit.
  • C. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Create an SCP with an allow action and a StringEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
  • D. Create separate IAM policies for each development unit. For every IAM policy, add an allow action and a StringEquals condition for the DevelopmentUnit resource tag and the development unit name. During SAML federation, use AWS Security Token Service (AWS STS) to assign the IAM policy and match the development unit name to the assumed IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Jupi
Highly Voted 3 years, 1 month ago
It is B https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html
upvoted 10 times
...
Viper57
Highly Voted 3 years, 1 month ago
B is the correct answer IMO. A - Does not make much sense. An account can only belong to one OU. This is a single production account so it can't be in multiple OUs. B - Session tag is used to identify which business unit a user is part of. IAM policy prevent them from modifying resources for any business unit but their own. C. This does not restrict any existing permissions so users can still modify resources from different business units. D. STS cannot be used to assign a policy to an IAM role. A policy has to be assigned to the role before authentication occurs.
upvoted 10 times
...
F_Eldin
Most Recent 1 year, 5 months ago
Selected Answer: B
https://aws.amazon.com/es/blogs/aws/new-for-identity-federation-use-employee-attributes-for-access-control-in-aws/ With Diagram: https://aws.amazon.com/blogs/mt/configure-session-manager-access-for-federated-users-using-saml-session-tags/
upvoted 2 times
...
[Removed]
2 years, 1 month ago
Selected Answer: B
B is correct C is incorrect because we can't use "Allow" with conditions in SCP
upvoted 2 times
...
cldy
2 years, 12 months ago
B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developersג€™ assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/ DevelopmentUnit.
upvoted 1 times
...
Bigbearcn
3 years, 1 month ago
It is B. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
upvoted 1 times
...
andylogan
3 years, 1 month ago
It's B
upvoted 2 times
...
DerekKey
3 years, 1 month ago
In my opinion B is correct - they already have ALLOW therefore we need DENY C is wrong - since they already have ALLOW permission adding additional ALLOW permission doesn't make sense
upvoted 2 times
...
student22
3 years, 1 month ago
C Centrally controlled via SCP added to root.
upvoted 1 times
student22
3 years, 1 month ago
Changing to B. Answer from DerekKey makes sense.
upvoted 1 times
...
...
tgv
3 years, 1 month ago
BBB ---
upvoted 3 times
...
denccc
3 years, 1 month ago
It's B
upvoted 1 times
...
blackgamer
3 years, 1 month ago
D to me.
upvoted 2 times
...
neta1o
3 years, 2 months ago
Seems we have some research to do on this one, I was thinking B.
upvoted 2 times
...
Cotter
3 years, 2 months ago
I not sure, may be choose B?
upvoted 2 times
...
pablobairat
3 years, 2 months ago
D it is
upvoted 1 times
...
AWSDEvops
3 years, 2 months ago
I think its A
upvoted 3 times
AWSDEvops
3 years, 2 months ago
changing it to C
upvoted 1 times
...
...
pkboy78
3 years, 2 months ago
I think it is C
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago