ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 600 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 600
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company with multiple accounts is currently using a configuration that does not meet the following security governance policies:
✑ Prevent ingress from port 22 to any Amazon EC2 instance.
✑ Require billing and application tags for resources.
✑ Encrypt all Amazon EBS volumes.
A solutions architect wants to provide preventive and detective controls, including notifications about a specific resource, if there are policy deviations.
Which solution should the solutions architect implement?

  • A. Create an AWS CodeCommit repository containing policy-compliant AWS CloudFormation templates. Create an AWS Service Catalog portfolio. Import the CloudFormation templates by attaching the CodeCommit repository to the portfolio. Restrict users across all accounts to items from the AWS Service Catalog portfolio. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule for deviations, and associate a CloudWatch alarm to send notifications when the TriggeredRules metric is greater than zero.
  • B. Use AWS Service Catalog to build a portfolio with products that are in compliance with the governance policies in a central account. Restrict users across all accounts to AWS Service Catalog products. Share a compliant portfolio to other accounts. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule to send a notification when a deviation occurs.
  • C. Implement policy-compliant AWS CloudFormation templates for each account, and ensure that all provisioning is completed by CloudFormation. Configure Amazon Inspector to perform regular checks against resources. Perform policy validation and write the assessment output to Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter to increment a metric when a deviation occurs. Configure a CloudWatch alarm to send notifications when the configured metric is greater than zero.
  • D. Restrict users and enforce least privilege access using AWS IAM. Consolidate all AWS CloudTrail logs into a single account. Send the CloudTrail logs to Amazon Elasticsearch Service (Amazon ES). Implement monitoring, alerting, and reporting using the Kibana dashboard in Amazon ES and with Amazon SNS.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by bbnbnuyh at Nov. 2, 2020, 8:39 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
bbnbnuyh
Highly Voted 3 years, 9 months ago
B: https://aws.amazon.com/blogs/mt/use-aws-service-catalog-to-build-a-custom-catalog-of-products-from-aws-marketplace/ https://docs.aws.amazon.com/config/latest/developerguide/monitor-config-with-cloudwatchevents.html
upvoted 16 times
...
Bulti
Highly Voted 3 years, 9 months ago
B is the right answer. It is a standard hub and spoke service catalog approach to enabling users in multiple account launch products from their portfolio in their local service catalog. A is incorrect because, it doesn't make sense to have users in other accounts access a single service catalog in a central account. This is not hub and spoke service catalog model that is promoted as a best practice in a multi-account setup.
upvoted 10 times
...
AwsBRFan
Most Recent 2 years, 9 months ago
Selected Answer: B
Just codecommit will not work: https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-S3-servicecatalog.html
upvoted 1 times
...
CloudHell
3 years ago
Selected Answer: B
B makes sense to me.
upvoted 1 times
...
cldy
3 years, 6 months ago
B. Use AWS Service Catalog to build a portfolio with products that are in compliance with the governance policies in a central account. Restrict users across all accounts to AWS Service Catalog products. Share a compliant portfolio to other accounts. Use AWS Config managed rules to detect deviations from the policies. Configure an Amazon CloudWatch Events rule to send a notification when a deviation occurs.
upvoted 2 times
...
AzureDP900
3 years, 7 months ago
Selected Answer: B
B is correct answer
upvoted 1 times
...
tgv
3 years, 7 months ago
BBB ---
upvoted 2 times
...
WhyIronMan
3 years, 7 months ago
I'll go with B
upvoted 1 times
...
Kopa
3 years, 7 months ago
B, Use AWS Config managed rules to detect deviations from the policies. This is what AWS Config is made of.
upvoted 2 times
...
blackgamer
3 years, 8 months ago
Answer is B.
upvoted 1 times
...
Waiweng
3 years, 8 months ago
it's B
upvoted 2 times
...
Sunflyhome
3 years, 8 months ago
For ppl voting C, which step does control port 22 access? ASC's portfolio doesn't define EC2's security group, does it?
upvoted 1 times
...
Kian1
3 years, 8 months ago
going with B
upvoted 2 times
...
01037
3 years, 8 months ago
Why is A wrong?
upvoted 1 times
student22
3 years, 7 months ago
Bulli has explained this above.
upvoted 1 times
...
RedKane
3 years, 8 months ago
Probably because CoodeCommit repository can't be attached to the Porfolio. Service Catalog seams to only be able to create products based on CloudFormation templates or existing stacks.
upvoted 1 times
...
...
Ebi
3 years, 8 months ago
B is the answer
upvoted 3 times
...
T14102020
3 years, 9 months ago
Correct is B. ServiceCatalog + AWS Config managed rules to detect deviations + without Cloudwatch rules to detect deviations
upvoted 2 times
...
jackdryan
3 years, 9 months ago
I'll go with B
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel