ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 668 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 668
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

An enterprise company is building an infrastructure services platform for its users. The company has the following requirements:
✑ Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.
✑ Use a central account to manage the creation of infrastructure services.
✑ Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.
Provide the ability to enforce tags on any infrastructure that is started by users.

Which combination of actions using AWS services will meet these requirements? (Choose three.)

  • A. Develop infrastructure services using AWS Cloud Formation templates. Add the templates to a central Amazon S3 bucket and add the-IAM roles or users that require access to the S3 bucket policy.
  • B. Develop infrastructure services using AWS Cloud Formation templates. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS account. Share these portfolios with the Organizations structure created for the company.
  • C. Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permissions. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.
  • D. Allow user IAM roles to have ServiceCatalogEndUserAccess permissions only. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption assign users access and apply launch constraints.
  • E. Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company. Apply the TagOption to AWS Service Catalog products or portfolios.
  • F. Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.
Show Suggested Answer Hide Answer
Suggested Answer: BDE 🗳️
by liono at Nov. 7, 2020, 11:10 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
liono
Highly Voted 3 years, 7 months ago
B,D,E seems to be the correct options
upvoted 21 times
...
AK2020
Highly Voted 3 years, 7 months ago
B, D , E - Seems correct
upvoted 8 times
...
Jesuisleon
Most Recent 1 year, 11 months ago
Selected Answer: BDE
B, D, E seems to make sense
upvoted 1 times
...
dev112233xx
2 years ago
Selected Answer: BCE
BCE correct
upvoted 1 times
vn_thanhtung
1 year, 8 months ago
Have logic in here?
upvoted 2 times
...
...
AwsBRFan
2 years, 7 months ago
Selected Answer: BCE
Considering BCE https://docs.aws.amazon.com/servicecatalog/latest/adminguide/controlling_access.html If you apply the ServiceCatalogEndUserAccess policy, your users have access to the end user console view, but they won't have the permissions that they need to launch products and manage provisioned products. You can grant these permissions directly to an end user in IAM, but if you want to limit the access that end users have to AWS resources, you should attach the policy to a launch role. You then use AWS Service Catalog to apply the launch role to a launch constraint for the product.
upvoted 2 times
psou7
2 years, 7 months ago
Not 100% accurate. The question does not specify what kind of EndUserAccess is granted. With EndUserFullAccess, user can launch products. End users AWSServiceCatalogEndUserFullAccess — Grants full access to the end user console view. Grants permission to launch products and manage provisioned products. AWSServiceCatalogEndUserReadOnlyAccess — Grants read-only access to the end user console view. Does not grant permission to launch products or manage provisioned products. BDE
upvoted 1 times
...
...
Ell89
2 years, 7 months ago
Selected Answer: BDE
BDE gets my vote
upvoted 1 times
...
CloudHell
2 years, 11 months ago
Selected Answer: BDE
It's BDE to me.
upvoted 1 times
...
bobsmith2000
2 years, 11 months ago
Selected Answer: BDE
No-brainer. Choose everything which is related to Service Catalog
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
B,D,E is correct answer
upvoted 1 times
...
andylogan
3 years, 6 months ago
It's B D E
upvoted 1 times
...
Kopa
3 years, 6 months ago
B,D,E all related to Service Catalog
upvoted 2 times
...
tgv
3 years, 6 months ago
BBB DDD EEE ---
upvoted 3 times
...
blackgamer
3 years, 6 months ago
BDE is the answer.
upvoted 1 times
...
Suresh108
3 years, 6 months ago
"user cannot provision unapproved services" --- choose 'service catalog' in all the options given. thats BDE.
upvoted 3 times
...
WhyIronMan
3 years, 6 months ago
I'll go with B,D,E
upvoted 3 times
...
student2020
3 years, 6 months ago
I think BEF is a better option. D looks good but the ServiceCatalogEndUserAccess permission only allows read only access and users cannot launch products. And in B the portfolios have already been shared, why share again using automation scripts? https://docs.aws.amazon.com/servicecatalog/latest/adminguide/controlling_access.html
upvoted 3 times
...
mustpassla
3 years, 6 months ago
BDE. Easy question.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago