exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 780 discussion

A company manages multiple AWS accounts by using AWS Organizations. Under the root OU, the company has two OUs: Research and DataOps.
Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region. Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types.
A solutions architect must implement a solution that applies these restrictions. The solution must maximize operational efficiency and must minimize ongoing maintenance.
Which combination of steps will meet these requirements? (Choose two.)

  • A. Create an IAM role in one account under the DataOps OU. Use the ec2:InstanceType condition key in an inline policy on the role to restrict access to specific instance type.
  • B. Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except ap-northeast-1.
  • C. Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU.
  • D. Create an SCP. Use the ec2:Region condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU, the DataOps OU, and the Research OU.
  • E. Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
gsaini
Highly Voted 2 years, 10 months ago
C & E should be right answer.
upvoted 8 times
...
Raphaello
Most Recent 9 months, 2 weeks ago
Selected Answer: CE
Correct answers are C & E
upvoted 1 times
...
janvandermerwer
2 years ago
Selected Answer: CE
C - Yes - Apply once to Root OU which will propogate to all accounts "Because of regulatory requirements, ALL resources" E - Yes - Logical remaining answer A - High overhead B - High overhead D - Wrong as you'll need to add the policy multiple times to different OUs, compared to adding once (More operational overhead)
upvoted 1 times
...
gnandam
2 years, 2 months ago
C& E - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-requested-region.html
upvoted 1 times
...
gondohwe
2 years, 3 months ago
combination of C,E make sense
upvoted 1 times
...
Hasitha99
2 years, 8 months ago
Selected Answer: CE
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html)
upvoted 2 times
...
RVivek
2 years, 10 months ago
C & E. B: Wrong . Creating user ccount in each account and adding and in line policy for each account is too much adminstrative work
upvoted 1 times
...
RVivek
2 years, 10 months ago
C & E.
upvoted 1 times
...
Buggie
2 years, 11 months ago
C and E.
upvoted 2 times
...
guruaws2021
2 years, 11 months ago
The answer should be CE here
upvoted 1 times
...
Firelord
2 years, 11 months ago
C & É (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html)
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...