A company wants to ensure that each department operates within their own isolated environment, and they are only able to use pre-approved services. How can this requirement be met?
A.
Set up an AWS Organization to create accounts for each department, and apply service control policies to control access to AWS services.
B.
Create IAM roles for each department, and set policies that grant access to specific AWS services.
C.
Use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department.
D.
Request that each department create and manage its own AWS account and the resources within it.
This question has 2 requirements.
1. Isolated Environments
2. Pre-Approved Services
Many comments seem to only be focusing only on the second requirement and are suggesting Service Catalogs. But that will not satisfy the first requirement of Isolated Environments. The correct answer is A which satisfies both requirements.
"C"
AWS Service Catalog provides a single location where organizations can centrally manage catalogs of IT services. With AWS Service Catalog you can control which IT services and versions are available, the configuration of the available services, and permission access by individual, group, department, or cost center.
Service control policies (SCPs) can be applied at the organization, account, or organizational unit (OU) level within AWS Organizations. SCPs define the permissions and services that are allowed or denied for specific accounts or OUs. By applying SCPs, you can restrict each department's access to only the pre-approved services that are necessary for their operations.
C is the answer
AWS Service Catalog administrators can reference an existing organization in AWS Organizations when sharing a portfolio, and they can share the portfolio with any trusted organizational unit (OU) in the organization's tree structure
The key word here is pre approved and in aws organisation you can you service control policy to limit what any departments can do and so A is the answer.
A -
With service catalogue you cannot use the AWS service completely ie. a user cannot modify a LAMP stack (for example) created by a servie catalogue , canot change instacnce type , EBS etc etc.
ANS C:-
Pre-approved services features
Isolation too :- [AWS Service Catalog provides the following benefits: ... separated and isolated Availability Zones, which are connected with low-latency,. ]
Why not A :-
no "pre approved services".
Answer A:
Using AWS organization, we can isolate the environment, which means one user cannot see other user's resources. To limit the services, we can use Service Control.
C. Service Catalog.
Check the diagram of this doc:
https://aws.amazon.com/es/blogs/mt/standardizing-infrastructure-delivery-in-distributed-environments-using-aws-service-catalog/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
grekh001
Highly Voted 2 years, 6 months agosapien45
2 years, 5 months agocloud
Highly Voted 2 years, 6 months agoKimle
2 years, 6 months agoalbert_kuo
Most Recent 9 months, 3 weeks agoalbert_kuo
6 months, 1 week agoalexsandroe
2 years, 5 months agoyolohibee
2 years, 5 months agoRicardoD
2 years, 5 months agoabhishek_m_86
2 years, 6 months agoJordanro
2 years, 6 months agokiev
2 years, 6 months agojackdryan
2 years, 6 months agoMFDOOM
2 years, 6 months agoPolu
2 years, 6 months agowaterzhong
2 years, 6 months agoMrDEVOPS
2 years, 6 months agoKhatriRocks
2 years, 6 months agoJGD
2 years, 6 months agoSHoKMaSTeR
2 years, 6 months ago