ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 612 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 612
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team's policy indicates that developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS
Marketplace to achieve this requirement. The procurement team wants administration of Private Marketplace to be restricted to a role named procurement- manager-role, which could be assumed by procurement managers. Other IAM users, groups, roles, and account administrators in the company should be denied
Private Marketplace administrative access.
What is the MOST efficient way to design an architecture to meet these requirements?

  • A. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
  • B. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
  • C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
  • D. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Nemer at Aug. 13, 2020, 8:11 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Nemer
Highly Voted 3 years, 7 months ago
C. SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/
upvoted 21 times
Gladabhi
3 years, 6 months ago
I will go with C as Procurement manager need access from shared account. We don't want any other account have the proc-mag-role as goes with least permission principle.
upvoted 3 times
...
Nemer
3 years, 7 months ago
Changed to D. In C, there is the issue of ROOT-level SCP to deny permissions to create an IAM role named procurement-manager-role to EVERYONE in the organization..
upvoted 9 times
joe16
3 years, 6 months ago
D is wrong. Developers should not have the procurement-manager-role. "...restricted to a role named procurement- manager-role, which could be assumed by procurement managers"
upvoted 3 times
...
Kelvin
3 years, 6 months ago
Yes, D looks correct.
upvoted 1 times
...
shammous
3 years, 7 months ago
The issue is not with the word "EVERYONE", but with the entire useless statement: "Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.": First, this could be done in the first SCP, second, denying permissions to create an IAM role named procurement-manager-role doesn't change anything.
upvoted 1 times
OnePunchExam
2 years, 1 month ago
@shammous I am 1/1/2 year late but you should read-up on IAM Privilege Escalation on why that statement is not useless.
upvoted 1 times
...
RedKane
3 years, 6 months ago
Without second SCP users/roles in other accounts that have full IAM access could create role with this name "procurement-manager-role" and assign any permission they want - since first SCP explicitly excludes "procurement-manager-role" from the DENY that would allow bypassing intended design of security rules.
upvoted 6 times
student22
3 years, 6 months ago
Good explanation. C makes sense.
upvoted 1 times
...
...
...
...
...
WhyIronMan
Highly Voted 3 years, 6 months ago
I'll go with C
upvoted 6 times
...
pitakk
Most Recent 2 years, 3 months ago
Selected Answer: C
procurement-manager-role is needed in shared accounts only. Org level SCP needs to deny permissions to administer Private Marketplace to everyone (including admins) but the role. Another SCP is needed so that role name is not created in any other account. It is C
upvoted 1 times
...
SureNot
2 years, 5 months ago
Selected Answer: C
D is wrong. You can apply SCP to OUs, not accounts
upvoted 2 times
[Removed]
2 years, 2 months ago
wrong, scps can be applied to OU and Member Accounts. Correct answer is still C but thought i would clear that up for you.
upvoted 1 times
...
...
dcdcdc3
2 years, 7 months ago
Selected Answer: D
per the link provided below https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/ and per this paragraph within that link "As an additional control, I applied an SCP to all the organizational units in this example organization to restrict Private Marketplace administration access to an IAM role called procurement-manager. This guardrail prevents other IAM roles, users, or groups from accessing the Private Marketplace administration page, even administrators in any of these organizational units’ accounts." I would choose D
upvoted 2 times
Rahu
2 years, 7 months ago
But here the question also says "Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access". That means Answer C only matches your point.
upvoted 2 times
...
...
hilft
2 years, 9 months ago
D. not C never root level SCP
upvoted 2 times
...
jj22222
3 years, 3 months ago
C looks right
upvoted 1 times
...
AMKazi
3 years, 3 months ago
Answer should be B. - meets both requirements of procurement mgmt and dev access C- only solving requirement of procurement manager. What about developer access to use the marketplace? D- giving procurement manager role to Developers
upvoted 1 times
...
cldy
3 years, 4 months ago
C is correct.
upvoted 1 times
...
Ni_yot
3 years, 4 months ago
C for me. The link attached in the write up is worth a read. https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/
upvoted 1 times
...
cldy
3 years, 5 months ago
C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
Selected Answer: C
C is right! https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/
upvoted 3 times
...
acloudguru
3 years, 5 months ago
Selected Answer: C
C. SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/
upvoted 1 times
...
andylogan
3 years, 6 months ago
It's C
upvoted 1 times
...
tgv
3 years, 6 months ago
CCC ---
upvoted 1 times
...
blackgamer
3 years, 6 months ago
C is the answer. D is wrong as the SCP applying to shared service account which is not being used by developer.
upvoted 3 times
blackgamer
3 years, 6 months ago
Please refer following links for more details why C is correct. https://aws.amazon.com/blogs/awsmarketplace/controlling-access-to-a-well-architected-private-marketplace-using-iam-and-aws-organizations/
upvoted 1 times
...
...
beebatov
3 years, 6 months ago
C is the Answer! D is giving procurement-manager-role to DEVELOPERS!! Although its not the best practice to apply SCP at root level, but C is the most viable answer for me here.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago