Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 765 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 765
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts. The development units each deploy their production workloads into a common production account.
Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads.
Which strategy will meet these requirements?

  • A. Create separate OUs in AWS Organizations for each development unit. Assign the created OUs to the company AWS accounts. Create separate SCPs with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag that matches the development unit name. Assign the SCP to the corresponding OU.
  • B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developers' assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/ DevelopmentUnit.
  • C. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Create an SCP with an allow action and a StringEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
  • D. Create separate IAM policies for each development unit. For every IAM policy, add an allow action and a StringEquals condition for the DevelopmentUnit resource tag and the development unit name. During SAML federation, use AWS Security Token Service (AWS STS) to assign the IAM policy and match the development unit name to the assumed IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by pkboy78 at Aug. 20, 2021, 3:20 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Jupi
Highly Voted 2 years, 12 months ago
It is B https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html
upvoted 10 times
...
Viper57
Highly Voted 2 years, 11 months ago
B is the correct answer IMO. A - Does not make much sense. An account can only belong to one OU. This is a single production account so it can't be in multiple OUs. B - Session tag is used to identify which business unit a user is part of. IAM policy prevent them from modifying resources for any business unit but their own. C. This does not restrict any existing permissions so users can still modify resources from different business units. D. STS cannot be used to assign a policy to an IAM role. A policy has to be assigned to the role before authentication occurs.
upvoted 10 times
...
F_Eldin
Most Recent 1 year, 3 months ago
Selected Answer: B
https://aws.amazon.com/es/blogs/aws/new-for-identity-federation-use-employee-attributes-for-access-control-in-aws/ With Diagram: https://aws.amazon.com/blogs/mt/configure-session-manager-access-for-federated-users-using-saml-session-tags/
upvoted 2 times
...
[Removed]
1 year, 12 months ago
Selected Answer: B
B is correct C is incorrect because we can't use "Allow" with conditions in SCP
upvoted 2 times
...
cldy
2 years, 9 months ago
B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developersג€™ assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/ DevelopmentUnit.
upvoted 1 times
...
Bigbearcn
2 years, 11 months ago
It is B. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
upvoted 1 times
...
andylogan
2 years, 11 months ago
It's B
upvoted 2 times
...
DerekKey
2 years, 11 months ago
In my opinion B is correct - they already have ALLOW therefore we need DENY C is wrong - since they already have ALLOW permission adding additional ALLOW permission doesn't make sense
upvoted 2 times
...
student22
2 years, 11 months ago
C Centrally controlled via SCP added to root.
upvoted 1 times
student22
2 years, 11 months ago
Changing to B. Answer from DerekKey makes sense.
upvoted 1 times
...
...
tgv
2 years, 11 months ago
BBB ---
upvoted 3 times
...
denccc
2 years, 11 months ago
It's B
upvoted 1 times
...
blackgamer
2 years, 11 months ago
D to me.
upvoted 2 times
...
neta1o
3 years ago
Seems we have some research to do on this one, I was thinking B.
upvoted 2 times
...
Cotter
3 years ago
I not sure, may be choose B?
upvoted 2 times
...
pablobairat
3 years ago
D it is
upvoted 1 times
...
AWSDEvops
3 years ago
I think its A
upvoted 3 times
AWSDEvops
3 years ago
changing it to C
upvoted 1 times
...
...
pkboy78
3 years ago
I think it is C
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel