Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 770 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 770
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A large company in Europe plans to migrate its applications to the AWS Cloud. The company uses multiple AWS accounts for various business groups. A data privacy law requires the company to restrict developers' access to AWS European Regions only.
What should the solutions architect do to meet this requirement with the LEAST amount of management overhead?

  • A. Create IAM users and IAM groups in each account. Create IAM policies to limit access to non-European Regions. Attach the IAM policies to the IAM groups.
  • B. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create SCPs to limit access to non-European Regions and attach the policies to the OUs.
  • C. Set up AWS Single Sign-On and attach AWS accounts. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in each account.
  • D. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in the primary account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by pkboy78 at Aug. 20, 2021, 7:37 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
mericov
Highly Voted 3 years ago
B - "This policy uses the Deny effect to deny access to all requests for operations that don't target one of the two approved regions (eu-central-1 and eu-west-1)." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 19 times
...
SureNot
Most Recent 1 year, 11 months ago
Selected Answer: B
B answer B is little bit weird. It's enough to have only one OU and attact SCP to it. But having two two OUs with the same SCP is still ok.
upvoted 2 times
...
tomosabc1
1 year, 11 months ago
Selected Answer: C
C is correct. B is wrong, because each account(meaning each business unit) has developers, meaning there are some IAM users in each account who has access to AWS European Regions only. There is no point to create OUs for European Regions and non-European Regions. We can simply create only one OU and attach SCP to that OU or root OU.
upvoted 1 times
tomosabc1
1 year, 11 months ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 1 times
...
...
Blair77
1 year, 11 months ago
Selected Answer: B
+1 for BBB
upvoted 2 times
...
Ni_yot
2 years, 9 months ago
B defo. Use service control policies to restrict access to certain accounts
upvoted 2 times
...
cldy
2 years, 9 months ago
B is correct.
upvoted 1 times
...
acloudguru
2 years, 10 months ago
hope i can have this question in my exam
upvoted 1 times
...
andypham
2 years, 11 months ago
B is correct
upvoted 1 times
...
Liongeek
2 years, 11 months ago
BBBBBBBBBBBB
upvoted 1 times
...
andylogan
2 years, 11 months ago
It's B
upvoted 1 times
...
johnnsmith
2 years, 11 months ago
How about non-developers if B is correct? SCP will restrict them as well. It has to be A.
upvoted 1 times
AMKazi
2 years, 8 months ago
you can restrict which groups you want to deny access in the policy. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
upvoted 1 times
...
...
tgv
2 years, 11 months ago
BBB ---
upvoted 4 times
...
denccc
2 years, 11 months ago
would go for B
upvoted 4 times
...
pkboy78
3 years ago
I think it is B
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel