Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 31 discussion

An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team’s policy indicates that developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement. The procurement team wants administration of Private Marketplace to be restricted to a role named procurement-manager-role, which could be assumed by procurement managers. Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access.
What is the MOST efficient way to design an architecture to meet these requirements?

  • A. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
  • B. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
  • C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
  • D. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
masetromain
Highly Voted 1 year, 9 months ago
Selected Answer: C
The most efficient way to design an architecture to meet these requirements is option C. By creating an IAM role named procurement-manager-role in all the shared services accounts in the organization and adding the AWSPrivateMarketplaceAdminFullAccess managed policy to the role, the procurement managers will have the necessary permissions to administer Private Marketplace. Then, by creating an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role and another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization, the company can restrict access to Private Marketplace administrative access to only the procurement managers.
upvoted 16 times
SK_Tyagi
1 year, 2 months ago
The catch is the "Create an organization root-level SCP to deny permissions". I'd refrain from creating a root-level SCP
upvoted 3 times
...
...
amministrazione
Most Recent 2 months, 1 week ago
C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
upvoted 1 times
...
MAZIADI
2 months, 3 weeks ago
Selected Answer: C
Not D, why ? : D. Placing the procurement-manager-role in developer accounts with full Private Marketplace admin access increases the risk of mismanagement. Additionally, applying an SCP only to shared services accounts does not adequately restrict access across the entire organization.
upvoted 1 times
...
cnethers
4 months, 2 weeks ago
Why C is right and D is wrong.... Focus on the end of the question : Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access. What is the MOST efficient way to design an architecture to meet these requirements? Who should be excluded? Other IAM users, groups, roles, and account administrators in the company What is the MOST efficient way? Apply SCP at the root level D is more work than C, this is a good reason to choose C over D
upvoted 1 times
...
Chakanetsa
6 months ago
Selected Answer: C
C. Most efficient and secure: Creating the procurement-manager-role in shared services accounts limits its scope to specific OUs, aligning with the organizational structure. Granting AWSPrivateMarketplaceAdminFullAccess to this role provides the necessary permissions for managing Private Marketplace within the OU. An organization root-level SCP denying Private Marketplace administration to everyone except the procurement-manager-role ensures centralized control and restricts unauthorized access. Another SCP preventing the creation of the procurement-manager-role outside of shared services accounts adds an extra layer of security.
upvoted 1 times
...
anubha.agrahari
8 months ago
Selected Answer: C
C, D doesn't make sense.
upvoted 1 times
...
ninomfr64
10 months, 3 weeks ago
Selected Answer: C
Not A as it does not implement the requirement to enforce procurement managers to use the shared services account in each organizational unit Not B as this would allow developers to administer private market place not D as this would allow developers to administer private market place C is correct as it configure the required role (with required permission) only in the shared service account, uses an SCP to deny private market place management to to everyone except the role named procurement-manager-role and another SCP to prevent creating a role nmaed procurement-manager-role
upvoted 2 times
ninomfr64
10 months, 3 weeks ago
Actually D would to the job, but creating a role in every account is nt strictly necessary and would cause more work
upvoted 1 times
...
...
subbupro
11 months, 1 week ago
C is the better one than D . because we need to apply scp to the root level with deny policy is the best practices. create the role and apply to each account is not a correct way and it is overhead to the adminstrator.
upvoted 2 times
...
severlight
12 months ago
Selected Answer: C
look on whenthan's answer
upvoted 1 times
...
whenthan
1 year ago
Selected Answer: C
creation of role in all shared services adding required policy to the role creation of org root-level to guardrail who can have those privileges creation of SCP to close out workaround of creation of another role with same access
upvoted 3 times
...
Tarun4b7
1 year, 1 month ago
Selected Answer: D
C and D options are most relevant. Once you create a role, you cannot create another role with same name. So option C doesn't make sense. So my answer Option D
upvoted 2 times
_Jassybanga_
9 months ago
i am on same page
upvoted 1 times
_Jassybanga_
9 months ago
its C - the role should be in shared service accounts and not all accounts
upvoted 1 times
...
...
...
qxy
1 year, 2 months ago
Selected Answer: C
Clearly, it's C.
upvoted 1 times
...
Karamen
1 year, 2 months ago
Selected answer: C option D: "Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers", the procurement-manager-role is used by manager not used by developers
upvoted 2 times
alicewsm
1 year ago
the first sentense "An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace."
upvoted 1 times
jainparag1
11 months, 2 weeks ago
Developers has to ask procurement manager and not purchase by themselves.
upvoted 2 times
...
...
...
SorenBendixen
1 year, 2 months ago
Selected Answer: D
Its D - According to this : https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/
upvoted 2 times
SorenBendixen
1 year, 2 months ago
Its C. D is wrong - missed : "procurement-manager-role in all AWS accounts that will be used by DEVELOPERS"
upvoted 2 times
...
...
NikkyDicky
1 year, 4 months ago
Selected Answer: C
Its a C
upvoted 1 times
...
gd1
1 year, 4 months ago
Selected Answer: C
C is correct-
upvoted 1 times
...
Maria2023
1 year, 4 months ago
Selected Answer: C
D is a distractor since the developers do not need to administer the private marketplace. Plus that the procurement team acts only in the shared accounts. That leaves C as the only option
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...