ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 588 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 588
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A financial services company is moving to AWS and wants to enable developers to experiment and innovate while preventing access to production applications.
The company has the following requirements:
✑ Production workloads cannot be directly connected to the internet.
✑ All workloads must be restricted to the us-west-2 and eu-central-1 Regions.
✑ Notification should be sent when developer sandboxes exceed $500 in AWS spending monthly.
Which combination of actions needs to be taken to create a multi-account structure that meets the company's requirements? (Choose three.)

  • A. Create accounts for each production workload within an organization in AWS Organizations. Place the production accounts within an organizational unit (OU). For each account, delete the default VPC. Create an SCP with a Deny rule for the attach an internet gateway and create a default VPC actions. Attach the SCP to the OU for the production accounts.
  • B. Create accounts for each production workload within an organization in AWS Organizations. Place the production accounts within an organizational unit (OU). Create an SCP with a Deny rule on the attach an internet gateway action. Create an SCP with a Deny rule to prevent use of the default VPC. Attach the SCPs to the OU for the production accounts.
  • C. Create a SCP containing a Deny Effect for cloudfront:*, iam:*, route53:*, and support:* with a StringNotEquals condition on an aws:RequestedRegion condition key with us-west-2 and eu-central-1 values. Attach the SCP to the organization's root.
  • D. Create an IAM permission boundary containing a Deny Effect for cloudfront:*, iam:*, route53:*, and support:* with a StringNotEquals condition on an aws:RequestedRegion condition key with us-west-2 and eu-central-1 values. Attach the permission boundary to an IAM group containing the development and production users.
  • E. Create accounts for each development workload within an organization in AWS Organizations. Place the development accounts within an organizational unit (OU). Create a custom AWS Config rule to deactivate all IAM users when an account's monthly bill exceeds $500.
  • F. Create accounts for each development workload within an organization in AWS Organizations. Place the development accounts within an organizational unit (OU). Create a budget within AWS Budgets for each development account to monitor and report on monthly spending exceeding $500.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️
by Nemer at Aug. 12, 2020, 10:07 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nemer
Highly Voted 3 years, 8 months ago
BCF - Production and dev accounts in separate OUs, AWS Budget for notifications. Between A & B, deleting default VPC seems excessive. SCP should be able to prevent using it. Not 100% sure.
upvoted 25 times
pablobairat
3 years, 7 months ago
B is wrong for one simple reason. You can delete the default VPC and create a new one. The new one will have a new arn so the SCP will not have effect on it. Just denying to create an IG does not prevent to create a new default VPC with the IG attached. From here: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html "Amazon creates the above resources on your behalf. IAM policies do not apply to these actions because you do not perform these actions. For example, if you have an IAM policy that denies the ability to call CreateInternetGateway, and then you call CreateDefaultVpc, the internet gateway in the default VPC is still created." In conclusion, ACF
upvoted 9 times
student22
3 years, 7 months ago
Good point. Answer: ACF
upvoted 1 times
...
...
ipindado2020
3 years, 8 months ago
I get the point... both questions want to reflect equivalent actions, but for me the redaction of B is very confusing... "and create a default VPC actions. Create an SCP with a Deny rule to prevent use of the default VPC" Obviousy it can be understood that "create default vpc actions" means the default vpc for the prod environment.... And when it is said that..."Create an SCP with a Deny rule to prevent use of the default VPC"... It can be understood that it is talking about th original "default VPC" no the new one... isn´t it? In any case It is too much "It can be understood"... So I go for ACF, nobody will use never that VPC so I for me it has more sense cleaning the entire network structure of prod (consdering B syntax).
upvoted 1 times
...
...
Ebi
Highly Voted 3 years, 7 months ago
ACF is the right answer. B can not be the answer, there is no way to have one single SCP at OU or root level to deny using of default VPC in each account
upvoted 23 times
gpark
3 years, 7 months ago
Touche
upvoted 2 times
...
heany
2 years, 8 months ago
Should be ADF. As there could be other types of workload which could be in other org, e.g. sandbox workloads in CTO org, etc. The question doesn't imply there are only two orgs in this company
upvoted 2 times
...
...
JohnPi
Most Recent 2 years, 7 months ago
Selected Answer: BCF
BCF A does not scale
upvoted 1 times
JohnPi
2 years, 7 months ago
ACF you cannot "Create an SCP with a Deny rule to prevent use of the default VPC"
upvoted 1 times
...
...
tomosabc1
2 years, 8 months ago
Selected Answer: ACF
The answer should be ACF. B(wrong): "Create an SCP with a Deny rule to prevent use of the default VPC." It is impossible to do this. D(wrong): Permission boundary can only be attached to user or role, rather than IAM group. E(wrong): Obviously wrong. AWS Budgets should be used.
upvoted 2 times
...
Azerty1313
2 years, 8 months ago
C isn't recommended see: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-warning-testing-effect
upvoted 1 times
...
AwsBRFan
2 years, 8 months ago
Selected Answer: ACF
AWS strongly recommends that you don't attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. But if tested why not?
upvoted 2 times
...
hilft
2 years, 10 months ago
It's BDF. Don't mess around with IGW AWS don't recommend SCP on root account
upvoted 1 times
...
aandc
2 years, 11 months ago
Selected Answer: ACF
Cannot find how to "Deny rule to prevent use of the default VPC"
upvoted 2 times
...
roka_ua
3 years, 2 months ago
Selected Answer: ACF
Vote ACF
upvoted 3 times
...
futen0326
3 years, 3 months ago
D instead of C. You don't have to attach an SCP to the root, it's bad practice, you can be a little more granular with D. It works better for the requirement.
upvoted 1 times
...
tkanmani76
3 years, 4 months ago
A - Why not B ? Tried searching SCP for VPC - we can deny creation of default VPC (CreateDefaultVpc), there are none to stop using it. So only way is to delete. D - Why not C ? Per AWS it is not a good practice to attach SCP to root. F - No contention with E here.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
I have to revisit this question and confirm between ACF vs BCF
upvoted 1 times
...
ryu10_09
3 years, 6 months ago
why A, you cannot delete the default VPC. so A is not valid. It is BCF
upvoted 1 times
ryu10_09
3 years, 6 months ago
I change my mind. i have checked and you can delete default VPC
upvoted 1 times
...
...
Kopa
3 years, 6 months ago
A,C,F should be
upvoted 1 times
...
near22
3 years, 7 months ago
ADF for c, AWS don't recommend apply SCP to root
upvoted 1 times
...
littlecurly
3 years, 7 months ago
B,D,F D denies the root to the global services including IAM, which doesn't make sense...
upvoted 1 times
...
student2020
3 years, 7 months ago
ACF is the answer There is no action to prevent use of default VPC https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel