ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 329 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 329
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company is using AWS Organizations and wants to implement a governance strategy with the following requirements:

• AWS resource access is restricted to the same two Regions for all accounts.
• AWS services are limited to a specific group of authorized services for all accounts.
• Authentication is provided by Active Directory.
• Access permissions are organized by job function and are identical in each account.

Which solution will meet these requirements?

  • A. Establish an organizational unit (OU) with group policies in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.
  • B. Establish a permission boundary in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.
  • C. Establish a service control policy in the management account to restrict Regions and authorized services. Use AWS Resource Access Manager (AWS RAM) to share management account roles with permissions for each job function, including AWS IAM Identity Center for authentication in each account.
  • D. Establish a service control policy in the management account to restrict Regions and authorized services. Use AWS CloudFormation StackSets to provision roles with permissions for each job function, including an IAM trust policy for IAM identity provider authentication in each account.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by matt200 at Dec. 25, 2024, 6:37 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Srikantha
4 weeks, 1 day ago
Selected Answer: D
Service Control Policies (SCPs): SCPs are used in AWS Organizations to apply restrictions at the organization level to control which AWS Regions and services can be used. SCPs will enforce the policy across all accounts in the organization, ensuring that resource access is restricted to only the allowed Regions and services. CloudFormation StackSets: AWS CloudFormation StackSets are used to automatically create and maintain roles and permissions across all accounts. This allows for standardized job-function-based roles to be created consistently in each account, with the exact same structure, regardless of account. IAM Trust Policy with Active Directory: The solution includes an IAM trust policy that allows Active Directory to authenticate users. This ensures that access is controlled by user identity and role, according to the organizational job functions.
upvoted 2 times
...
matt200
4 months, 1 week ago
Selected Answer: D
should be D
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago