ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 28 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 28
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store's application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.
The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company's deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.
What should the security engineer do next to meet the requirements in the MOST secure way?

  • A. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Share the portfolio with the OU.
  • B. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. In the OU, create an SCP that allows access to the extension.
  • C. Create an AWS Service Catalog portfolio in the organization's management account. Upload the CloudFormation template. Add the template to the portfolio's product list. Create an IAM role that has a trust policy that allows cross-account access to the portfolio for users in the OU accounts. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.
  • D. Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Share the extension with the OU.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by 100fold at Oct. 19, 2023, 5:15 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Christina666
Highly Voted 1 year, 2 months ago
Selected Answer: A
To use Service Catalog with multiple AWS accounts, you need to enable AWS Organizations with all features enabled. This allows you to centrally manage your accounts and apply policies across your organization. You can also use Service Catalog as a service principal for AWS Organizations, which lets you share your portfolios with organizational units (OUs) or accounts in your organization. To create a Service Catalog portfolio, you need to use an administrator account, such as the organization's management account. You can upload your CloudFormation template as a product in your portfolio, and define constraints and tags for it. You can then share your portfolio with the OU that contains the accounts for the web applications. This will allow the developers in those accounts to launch products from the shared portfolio using the Service Catalog end user console.
upvoted 9 times
Christina666
1 year, 2 months ago
Option C is incorrect because creating an IAM role that has a trust policy that allows cross-account access to the portfolio is not secure. It would allow any user in the OU accounts to assume the role and access the portfolio, regardless of their job function or access requirements.
upvoted 7 times
...
...
anandkl80
Most Recent 10 months, 1 week ago
C - appears to be the most secure and effective way to meet the requirements. It leverages the AWS Service Catalog to manage and distribute the CloudFormation template, ensuring that only approved resources are deployed. Additionally, by creating an IAM role with a trust policy for cross-account access and attaching the appropriate managed policy, it ensures that only developers from within the OU who have the necessary permissions can access and use the portfolio, aligning with the need for strict access control to the deployment plan.
upvoted 2 times
...
Sodev
10 months, 2 weeks ago
2 requirements: - Deployment plan for AWS resources - To only the developers who need access => That's a trap question, all people think about WS Service Catalog, However: A. Share the portfolio with the OU. => not fit 2rd requirement B. It match tho both req C. AWSServiceCatalogEndUserFullAccess => user able to change resources in product list D. Share the extension with the OU => not fit 2rd requirement => B is answer
upvoted 1 times
...
i7ovemyself
11 months, 3 weeks ago
AWS Service Catalog is a service that enables organizations to create and manage catalogs of IT services that are approved for use on AWS. These catalogs can include everything from virtual machine images, servers, software, and databases to entire multi-tier application architectures. Correct answer is A C will not be correct as providing full access will not be secure as per AWS standards.
upvoted 2 times
...
Raphaello
12 months ago
Selected Answer: A
Sharing Service Catalog portfolio is more secure than allowing full access. Correct answer is A.
upvoted 3 times
Raphaello
11 months, 4 weeks ago
I spent some time looking into this question. CF modules vs Service Catalog It is resource centric vs service centric. Infra. provisioning vs service management. A low level building block vs service approval. The scenario talks about ensuring "DEVELOPER" sticking to "deployment plan", which implies assurance at a lower level than service catalog. Therefore, D could be the right answer. Again, It all depends on the interpretation, but no clear "right" or "wrong" answer in this one. https://stackshare.io/stackups/aws-cloudformation-vs-aws-service-catalog#:~:text=In%20summary%2C%20AWS%20CloudFormation%20is,catalogs%20of%20pre%2Dapproved%20services.
upvoted 2 times
...
...
longns
1 year ago
Selected Answer: A
C: incorrect because allows cross-account access to the portfolio for users in the OU accounts. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role --> this violate rule give least privilege Privilege of https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceCatalogEndUserFullAccess.html
upvoted 1 times
...
Aamee
1 year, 2 months ago
Still a bit ambigious btw A and D... Not sure fully :/
upvoted 1 times
...
kejam
1 year, 3 months ago
Selected Answer: A
You can share a Service Catalog portfolio to an Org OU https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-servicecatalog.html
upvoted 2 times
...
[Removed]
1 year, 3 months ago
Selected Answer: A
Service Catalog sounds like the right tool for the job
upvoted 1 times
M2ao
1 year, 3 months ago
why not C
upvoted 1 times
...
...
bannium
1 year, 3 months ago
Selected Answer: A
I think Option A is sufficient for our needs. https://aws.amazon.com/about-aws/whats-new/2022/11/aws-service-catalog-sharing-principal-names-portfolio-organization/
upvoted 2 times
...
100fold
1 year, 3 months ago
B instead of D SCP limits the access
upvoted 2 times
Aamee
1 year, 2 months ago
Are you sure that it should be B?... cuz will SCP going to work under the OU level?..
upvoted 1 times
...
...
100fold
1 year, 4 months ago
Selected Answer: D
Answer D. You can use the CloudFormation (CLI). https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/modules.html https://aws.amazon.com/blogs/mt/introducing-aws-cloudformation-modules/
upvoted 4 times
Raphaello
11 months, 4 weeks ago
You probably have a point there. I learned something. Thank you.
upvoted 2 times
...
804a66d
11 months ago
Yes you are right D is a strong possible choice the module feature of AWS CloudFormation can accomplish the task but you are missing one aspect of the question. It askes for the MOST secure way and since the question states that AWS Organizations is being implemented and 3rd party users are accessing the environment then the MOST secure way is using AWS Service Catalog and establish that guardrail structure from the top down affecting the OU's. Thanks for the links explaining modules that is a new concept I learned from your links!
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel