ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 789 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 789
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company needs a solution to prevent AWS CloudFormation stacks from deploying AWS Identity and Access Management (IAM) resources that include an inline policy or “*” in the statement. The solution must also prohibit deployment of Amazon EC2 instances with public IP addresses. The company has AWS Control Tower enabled in its organization in AWS Organizations.

Which solution will meet these requirements?

  • A. Use AWS Control Tower proactive controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
  • B. Use AWS Control Tower detective controls to block deployment of EC2 instances with public IP addresses and inline policies with elevated access or “*”.
  • C. Use AWS Config to create rules for EC2 and IAM compliance. Configure the rules to run an AWS Systems Manager Session Manager automation to delete a resource when it is not compliant.
  • D. Use a service control policy (SCP) to block actions for the EC2 instances and IAM resources if the actions lead to noncompliance.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Andy_09 at Feb. 6, 2024, 8:12 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jaswantn
Highly Voted 1 year, 6 months ago
Selected Answer: D
Option D... This is preventive control of Control Tower where we use SCP to disallow actions that lead to policy violation.
upvoted 9 times
...
osmk
Highly Voted 1 year, 5 months ago
Selected Answer: A
Proactive controls are implemented using AWS CloudFormation hooks within AWS Control Tower. They operate before resources are deployed to determine compliance with activated controls. SCPs are part of AWS Organizations and are used to manage permissions. vs Define specific purposes for implementing controls.https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html
upvoted 6 times
osmk
1 year, 5 months ago
SCPs focus on managing permissions at the OU level, while proactive controls in AWS Control Tower help prevent non-compliance during resource provisioning.
upvoted 3 times
...
...
FlyingHawk
Most Recent 6 months, 4 weeks ago
Selected Answer: A
Proactive controls check whether resources are compliant with your company policies and objectives, before the resources are provisioned in your accounts. If the resources are out of compliance, they are not provisioned. Proactive controls monitor resources that would be deployed in your accounts by means of AWS CloudFormation templates. For those who are familiar with AWS: In AWS Control Tower preventive controls are implemented with Service Control Policies (SCPs). Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks.
upvoted 3 times
...
LeonSauveterre
7 months, 4 weeks ago
Selected Answer: A
A - Proactive controls are a feature of AWS Control Tower that prevent noncompliant resources from being deployed by validating configurations before deployment. B - Detective controls can't block deployment. C - If you must monitor to get it right, then something's already wrong before you notice that. D - SCPs can indeed block specific API calls for creating IAM resources with "*" or EC2 instances with public IPs, but can't make the most of AWS CloudFormation stacks. Plus, SCPs apply at the account level and might inadvertently restrict legitimate use cases. Not ideal enough is what I'm saying.
upvoted 1 times
LeonSauveterre
7 months, 4 weeks ago
And btw, since "The company has AWS Control Tower enabled", option A induces much less overhead than option D.
upvoted 2 times
...
...
MatAlves
11 months ago
Selected Answer: A
Prevent AWS CloudFormation from deploying IAM resources and EC2 instances based on specific use cases = Control Tower Proactive controls. "Proactive controls are security controls that are designed to prevent the creation of noncompliant resources. For example (...), through AWS CloudFormation, the proactive control can prevent the creation of update of any S3 bucket that has public access enabled." https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/proactive-controls.html
upvoted 3 times
...
88f8032
1 year, 3 months ago
Selected Answer: A
this is A
upvoted 2 times
...
Sergiuss95
1 year, 3 months ago
Selected Answer: D
Is D, the best way to prevent this actions, is deploying SCPs
upvoted 1 times
...
BBR01
1 year, 3 months ago
Selected Answer: D
It is D. You want to prevent the events from happening. Proactive controls check whether resources are compliant with your company policies and objectives, before the resources are provisioned in your accounts. Detective controls detect specific events when they occur and log the action in CloudTrail. Preventive controls prevent actions from occurring. Preventive controls are implemented with SCPs. Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks. https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#how-controls-work
upvoted 1 times
TwinSpark
1 year, 3 months ago
as stated by you A is correct, Proactive controls are implemented as cloudformation hooks and the resource will not be deployed if not compliants. It is exactly what is asked in question. Using an SCP it is actually a valid solution, but it need to be associated to a specific resource that is not specified. If you associated to root account nobody can deploy a public ip ec2, not only cloudformation
upvoted 2 times
...
...
NayeraB
1 year, 6 months ago
Selected Answer: A
A would provide a proactive solution, also I'm not sure if SCP are made for granular details like creation of EC2 instances with public IP addresses or IAM resources with certain inline policies.
upvoted 2 times
...
Andy_09
1 year, 6 months ago
Option D
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel