exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 784 discussion

A company has a large number of AWS accounts in an organization in AWS Organizations. A different business group owns each account. All the AWS accounts are bound by legal compliance requirements that restrict all operations outside the eu-west-2 Region.
The company's security team has mandated the use of AWS Systems Manager Session Manager across all AWS accounts.
Which solution should a solutions architect recommend to meet these requirements?

  • A. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.
  • B. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. For each AWS account, use the AmNotLike condition key to add the ARN of the IAM role that is associated with the Session Manager instance profile to the condition element of the SCP. In AWS Organizations apply, the SCP to the root of the organization.
  • C. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization. In each AWS account, create an IAM permissions boundary that allows access to the IAM role that is associated with the Session Manager instance profile.
  • D. For each AWS account, create an IAM permissions boundary that denies access to all requests that do not target eu-west-2. For each AWS account, apply the permissions boundary to the IAM role that is associated with the Session Manager instance profile.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
[Removed]
1 year, 9 months ago
Selected Answer: A
sat on this one for a while but i think ill settle for A. if you want to exclude regions you can use the SCP however some services a global resources so you use the Notaction to exempt the global services. If you want to allow roles to bypass the policy you can use the ArnNotLike and exclude certain admin roles from the SCP policy. This is NOT what we want to achieve, the goal is to block access to other regions, hence the System Manager roles should not be exempt. Where i'm slightly confused is how are we mandating the use of SSM? Users will be able to use any services within EU-WEST-2 including SSM.
upvoted 2 times
...
andras
1 year, 9 months ago
Selected Answer: B
Session Manager does not support cross-account access. You will need to assume a Role in account B (for example, from your user/role in account A) before starting the session. ... it seems to be B...
upvoted 1 times
...
mrgreatness
2 years ago
A for me, does what is asked
upvoted 1 times
...
SureNot
2 years, 1 month ago
Selected Answer: A
Choosing between A and B.. Can't see a condition or any reason SSM should AVOID region restriction - so A.
upvoted 2 times
...
nsvijay04b1
2 years, 1 month ago
Selected Answer: B
A) SSM not handled. B) region + SSM handled in SCP at root level ( ques says 'mandated') C) region handled at root with SCP + SSM left for accounts to handle( not 'mandated') and permission boundary cannot give perm if SCP denies it D) not at all centrally managed , needs SCP
upvoted 2 times
...
asfsdfsdf
2 years, 4 months ago
Selected Answer: A
D will not work for sure - its applied to session manager only C will not work also its aagain applied to SSM profile and it will not grant access its either A or B - for B it means we will allow the SSM ARN role to work on all regions only A left as the correct option - it will deny access to all regions with exception of eu-west-2 no need to do anything else as SSM is already allowed by SCP by default A - means we deny all access to other regions -
upvoted 2 times
asfsdfsdf
2 years, 4 months ago
if question was stated the The company's security team has required that all AWS accounts utilize AWS Systems Manager Session Manager on all regions - I would choose B
upvoted 1 times
...
...
Ddssssss
2 years, 5 months ago
Its not B because that would apply the SCP for all users except The session manager IAM which would allow that account to do whatever it wants. I would say "D", why cant a simple permissions boundary simply deny access for sessions manager to all other regions? Why does it need an SCP?
upvoted 1 times
...
DLML
2 years, 9 months ago
I am not too convinced with C nor A. How about B? SCP will have deny to run EC2 with condition ArnNotLike the session-manager-profile-role
upvoted 3 times
...
Alexey79
2 years, 9 months ago
It's C. 1. Create SCP policy to privent denies access to any operations outside of the specified Region. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region 2. Create IAM Policy in each account from making certain changes https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html “ security team has required that all AWS accounts utilize AWS Systems Manager Session Manager “ IAM must be configured to allow access.
upvoted 2 times
bobsmith2000
2 years, 6 months ago
C doesn't grant permission and don't override SCP
upvoted 2 times
SeanQi
2 years, 5 months ago
yes, C is missing granting permission from iam role, but it's not the point here. choosing C over B is to reduce the complexity of the setup
upvoted 1 times
SeanQi
2 years, 5 months ago
I mean: choose B over C to reduce the complexity
upvoted 1 times
...
...
...
user0001
2 years, 6 months ago
B C is not a scalable solution, plus the root account can change it
upvoted 2 times
...
Ddssssss
2 years, 5 months ago
Boundaries restrict access, they do not allow access.
upvoted 3 times
...
...
Bigbearcn
2 years, 10 months ago
It's C.
upvoted 2 times
bobsmith2000
2 years, 6 months ago
Permission boundaries don't grant permission and don't override SCP
upvoted 2 times
...
...
GeniusMikeLiu
2 years, 10 months ago
why A?
upvoted 1 times
timlow84
2 years, 10 months ago
why not C?
upvoted 1 times
user0001
2 years, 6 months ago
root account can change it
upvoted 2 times
...
...
usmanbaigmughal
2 years, 9 months ago
Because in A there is no solution for Session managers. C answer cover both Regional restriction and Session managers.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...