exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 770 discussion

A large company in Europe plans to migrate its applications to the AWS Cloud. The company uses multiple AWS accounts for various business groups. A data privacy law requires the company to restrict developers' access to AWS European Regions only.
What should the solutions architect do to meet this requirement with the LEAST amount of management overhead?

  • A. Create IAM users and IAM groups in each account. Create IAM policies to limit access to non-European Regions. Attach the IAM policies to the IAM groups.
  • B. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create SCPs to limit access to non-European Regions and attach the policies to the OUs.
  • C. Set up AWS Single Sign-On and attach AWS accounts. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in each account.
  • D. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in the primary account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
mericov
Highly Voted 3 years, 2 months ago
B - "This policy uses the Deny effect to deny access to all requests for operations that don't target one of the two approved regions (eu-central-1 and eu-west-1)." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 19 times
...
SureNot
Most Recent 2 years, 1 month ago
Selected Answer: B
B answer B is little bit weird. It's enough to have only one OU and attact SCP to it. But having two two OUs with the same SCP is still ok.
upvoted 2 times
...
tomosabc1
2 years, 1 month ago
Selected Answer: C
C is correct. B is wrong, because each account(meaning each business unit) has developers, meaning there are some IAM users in each account who has access to AWS European Regions only. There is no point to create OUs for European Regions and non-European Regions. We can simply create only one OU and attach SCP to that OU or root OU.
upvoted 1 times
tomosabc1
2 years, 1 month ago
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
upvoted 1 times
...
...
Blair77
2 years, 1 month ago
Selected Answer: B
+1 for BBB
upvoted 2 times
...
Ni_yot
2 years, 11 months ago
B defo. Use service control policies to restrict access to certain accounts
upvoted 2 times
...
cldy
2 years, 11 months ago
B is correct.
upvoted 1 times
...
acloudguru
3 years ago
hope i can have this question in my exam
upvoted 1 times
...
andypham
3 years, 1 month ago
B is correct
upvoted 1 times
...
Liongeek
3 years, 1 month ago
BBBBBBBBBBBB
upvoted 1 times
...
andylogan
3 years, 1 month ago
It's B
upvoted 1 times
...
johnnsmith
3 years, 1 month ago
How about non-developers if B is correct? SCP will restrict them as well. It has to be A.
upvoted 1 times
AMKazi
2 years, 10 months ago
you can restrict which groups you want to deny access in the policy. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
upvoted 1 times
...
...
tgv
3 years, 1 month ago
BBB ---
upvoted 4 times
...
denccc
3 years, 1 month ago
would go for B
upvoted 4 times
...
pkboy78
3 years, 2 months ago
I think it is B
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago