ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 190 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 190
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company's application teams use AWS CodeCommit repositories for their applications. The application teams have repositories in multiple AWS accounts. All accounts are in an organization in AWS Organizations.

Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured with an external IdP to assume a developer IAM role. The developer role allows the application teams to use Git to work with the code in the repositories.

A security audit reveals that the application teams can modify the main branch in any repository. A DevOps engineer must implement a solution that allows the application teams to modify the main branch of only the repositories that they manage.

Which combination of steps will meet these requirements? (Choose three.)

  • A. Update the SAML assertion to pass the user's team name. Update the IAM role's trust policy to add an access-team session tag that has the team name.
  • B. Create an approval rule template for each team in the Organizations management account. Associate the template with all the repositories. Add the developer role ARN as an approver.
  • C. Create an approval rule template for each account. Associate the template with all repositories. Add the "aws:ResourceTag/access-team": "$ ;{aws:PrincipalTag/access-team}" condition to the approval rule template.
  • D. For each CodeCommit repository, add an access-team tag that has the value set to the name of the associated team.
  • E. Attach an SCP to the accounts. Include the following statement:
  • F. Create an IAM permissions boundary in each account. Include the following statement:
Show Suggested Answer Hide Answer
Suggested Answer: ADE 🗳️
by csG13 at Dec. 29, 2023, 10:04 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Diego1414
Highly Voted 1 year, 4 months ago
Selected Answer: ADE
A- SAML Assertion D - Tag the resource E - Will work with D above ad condition is based on resource tag
upvoted 7 times
...
[Removed]
Most Recent 10 months, 1 week ago
Selected Answer: ADE
ade for me
upvoted 1 times
...
jamesf
11 months ago
Selected Answer: ADE
I go for ADE Option E, this SCP ensures that only users from the team that manages a repository can modify the main branch by using the access-team tag. It denies actions if the team tags do not match.
upvoted 3 times
...
kiwtirApp
1 year, 1 month ago
Why are people choosing option E? As per the requirement: "A company's application teams use AWS CodeCommit repositories for their applications. The application teams have repositories in multiple AWS accounts. All accounts are in an organization in AWS Organizations. Each application team uses AWS IAM Identity Center (AWS Single Sign-On) configured with an external IdP to assume a developer IAM role. The developer role allows the application teams to use Git to work with the code in the repositories" Shouldn't we then ALLOW GitPush, PutFile and Merge*? I think it should be ADF.
upvoted 1 times
vdxiii
1 year ago
F is Wrong. E is correct. This SCP ensures that only users from the team that manages a repository can modify the main branch by using the access-team tag. It denies actions if the team tags do not match.
upvoted 2 times
...
kiwtirApp
1 year, 1 month ago
Sorry, i wanted to highlight this: "A DevOps engineer must implement a solution that allows the application teams to modify the main branch of only the repositories that they manage." This is why it should be ADF.
upvoted 1 times
Onolisk
1 year ago
they can already access all the repositories, the requirement is to scope down their access hense DENY not ALLOW
upvoted 4 times
...
...
...
seetpt
1 year, 1 month ago
Selected Answer: ADE
ADE for me
upvoted 2 times
...
dkp
1 year, 2 months ago
Selected Answer: ADE
ADE seems more appropriate
upvoted 3 times
...
ogerber
1 year, 3 months ago
Selected Answer: ADF
ADF, 100%
upvoted 2 times
ogerber
1 year, 3 months ago
Correction, its ADE: Permissions boundaries (Option F) are more granular and would be set on each IAM role individually. While they could achieve a similar effect, they are not as broad in scope as SCPs and would require setting up on every IAM role, which could be less efficient than a blanket policy across the organization with an SCP
upvoted 4 times
...
...
DanShone
1 year, 3 months ago
Selected Answer: ADE
A D E There no mention of an approval step being needed so rules out B & C. and F is an allow policy not deny
upvoted 4 times
...
Shasha1
1 year, 3 months ago
ACE reference for option c https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-create-template.html
upvoted 1 times
...
kyuhuck
1 year, 4 months ago
Selected Answer: ADF
adf -> correct
upvoted 2 times
...
ghoul1221
1 year, 4 months ago
isn't ADF? " Attach an SCP to the accounts. Include the following statement:" scp are for the organizations no?
upvoted 1 times
kyuhuck
1 year, 4 months ago
i think . adf~
upvoted 2 times
...
...
Ramdi1
1 year, 4 months ago
Selected Answer: ADE
I will go with ADE
upvoted 3 times
...
thanhnv142
1 year, 4 months ago
Selected Answer: ACE
ACE are correct: A: < IAM Identity Center (AWS Single Sign-On) configured with an external IdP> means we need SAML C and E are just similar with "aws:ResourceTag/access-team": "$ ;{aws:PrincipalTag/access-team}" condition
upvoted 2 times
...
davdan99
1 year, 5 months ago
Go For ADE, We don't need approval Rule here, And we use organizations, that's why SCP
upvoted 2 times
...
d262e67
1 year, 5 months ago
Selected Answer: ADE
As far as I know, the approval rule templates are designed to manage pull requests, not direct pushes to branches.
upvoted 4 times
...
ozansenturk
1 year, 5 months ago
Selected Answer: ADF
question sounds like ABAC assessment: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html approval rule templates are good to audit pull requests and if the developer is the repo owner, he/she is free to do anything.
upvoted 2 times
ozansenturk
1 year, 5 months ago
edit: ADE
upvoted 2 times
...
...
kabary
1 year, 5 months ago
Selected Answer: ACE
Answer is A, C, & E.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel