ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 373 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 373
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is using multiple AWS accounts and has multiple DevOps teams running production and non-production workloads in these accounts. The company would like to centrally-restrict access to some of the AWS services that the DevOps teams do not use. The company decided to use AWS Organizations and successfully invited all AWS accounts into the Organization. They would like to allow access to services that are currently in-use and deny a few specific services. Also they would like to administer multiple accounts together as a single unit.

What combination of steps should the solutions architect take to satisfy these requirements? (Choose three.)

  • A. Use a Deny list strategy.
  • B. Review the Access Advisor in AWS IAM to determine services recently used
  • C. Review the AWS Trusted Advisor report to determine services recently used.
  • D. Remove the default FullAWSAccess SCP.
  • E. Define organizational units (OUs) and place the member accounts in the OUs.
  • F. Remove the default DenyAWSAccess SCP.
Show Suggested Answer Hide Answer
Suggested Answer: ABE 🗳️
by devalenzuela86 at Nov. 22, 2023, 5:33 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
heatblur
Highly Voted 1 year, 2 months ago
Selected Answer: ABE
ABE is the answer: A: This approach involves explicitly denying access to specific AWS services that the company wants to restrict. It allows all other services to be accessible, which aligns with the company's requirement to allow services that are currently in use. B: AWS IAM Access Advisor shows the service permissions granted to a user and when those services were last accessed. This information is valuable to understand which AWS services are actively used and which are not, helping to make informed decisions about which services to restrict. E: Organizational Units allow for grouping AWS accounts that have similar needs or requirements. This structure enables the solutions architect to apply policies at the OU level, making it easier to manage permissions and restrictions across multiple accounts.
upvoted 9 times
heatblur
1 year, 2 months ago
Also: it shouldn't be D because the FullAWSAccess SCP allows all actions on all resources in the account. Removing it without a carefully crafted replacement policy can lead to unintended access restrictions.
upvoted 5 times
vibzr2023
1 year, 1 month ago
No...explicitly deny access/explicit Deny Statements to specific actions or resources, effectively override FullAWSAccess
upvoted 1 times
vibzr2023
1 year, 1 month ago
I mean YES... throwing some light on the permissions evaluation. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
upvoted 1 times
...
vibzr2023
1 year, 1 month ago
Saying the above statement my answer is E B A in the order.
upvoted 1 times
vibzr2023
1 year, 1 month ago
Order of Evaluation ------------------- Explicit deny statements in IAM policies or SCPs take precedence over everything else. If no explicit denies exist, AWS evaluates policies in this order: Service-Linked Roles > Resource-Based Policies > IAM Policies (including FullAWSAccess) > SCPs > Conditional Access Policies
upvoted 1 times
...
...
...
...
...
LeoSantos121212121212121
Most Recent 4 months, 2 weeks ago
Selected Answer: BDE
B - Access Advisor helps determine which AWS services are actively used D - AWS Organizations attaches a default "FullAWSAccess" SCP to all member accounts, allowing full access unless explicitly restricted.To enforce service restrictions, this SCP must be removed or replaced with a custom SCP. E - Organizational Units (OUs) help manage multiple accounts together
upvoted 1 times
...
titi_r
10 months ago
Selected Answer: ABE
Isn't this called IAM Access Analyzer instead of Advisor?
upvoted 2 times
...
igor12ghsj577
1 year ago
With a deny list strategy a default SCP allows all services and deny lists must be implemented for any specific services that must be restricted.
upvoted 1 times
...
career360guru
1 year, 1 month ago
Selected Answer: ABE
A, B and E
upvoted 1 times
...
ayadmawla
1 year, 2 months ago
Selected Answer: ABE
Agreed E+B+A in that order :)
upvoted 2 times
...
dutchy1988
1 year, 2 months ago
manage as single unit ->OU's is out of scope (answer e) deny some of the AWS services -> remove the default FullAWSAcces allow current in use services -> access advisor to determine recently used services Use deny list strategy to allow only services that are required leaves only valid answer: ABD
upvoted 1 times
dutchy1988
1 year, 2 months ago
I have to rectify one answer, You can use organizational units (OUs) to group accounts together to administer as a single unit. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html So E is correct, D is incorrect Answer must be ABE
upvoted 3 times
...
...
shaaam80
1 year, 2 months ago
Selected Answer: BDE
To administer multiple accounts together as a single unit - Create OU's with member accounts Remove blanket Allow on OUs - Remove the default FullAWSAccess SCP from OU's Review Access Advisor to view which services have been in use or accessed by users / roles Answer BDE
upvoted 1 times
shaaam80
1 year, 2 months ago
correction - ABE D is wrong, removal of FullAccessSCP without replacing it with a custom SCP is not correct. A is correct, using a Deny list to restrict access to specific services
upvoted 2 times
...
shaaam80
1 year, 2 months ago
There is no DenyAWSAccess SCP created by default on OUs during creation.
upvoted 2 times
...
...
devalenzuela86
1 year, 2 months ago
Selected Answer: ABE
ABE for sure
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel