ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 686 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 686
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A financial company with multiple departments wants to expand its on-premises environment to the AWS Cloud. The company must retain centralized access control using an existing on-premises Active Directory (AD) service. Each department should be allowed to create AWS accounts with preconfigured networking and should have access to only a specific list of approved services. Departments are not permitted to have account administrator permissions.
What should a solutions architect do to meet these security requirements?

  • A. Configure AWS Identity and Access Management (IAM) with a SAML identity provider (IdP) linked to the on-premises Active Directory, and create a role to grant access. Configure AWS Organizations with SCPs and create new member accounts. Use AWS CloudFormation templates to configure the member account networking.
  • B. Deploy an AWS Control Tower landing zone. Create an AD Connector linked to the on-premises Active Directory. Change the identity source in AWS Single Sign-On to use Active Directory. Allow department administrators to use Account Factory to create new member accounts and networking. Grant the departments AWS power user permissions on the created accounts.
  • C. Deploy an Amazon Cloud Directory. Create a two-way trust relationship with the on-premises Active Directory, and create a role to grant access. Set up an AWS Service Catalog to use AWS CloudFormation templates to create the new member accounts and networking. Use IAM roles to allow access to approved AWS services.
  • D. Configure AWS Directory Service for Microsoft Active Directory with AWS Single Sign-On. Join the service to the on-premises Active Directory. Use AWS CloudFormation to create new member accounts and networking. Use IAM roles to allow access to approved AWS services.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Reference:
https://d1.awsstatic.com/whitepapers/aws-overview.pdf
(46)
by wasabidev at March 17, 2021, 4:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ExtHo
Highly Voted 3 years, 8 months ago
B it looks AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure. The account factory automates provisioning of new accounts in your organization. As a configurable account template, it helps you standardize the provisioning of new accounts with pre-approved account configurations. You can configure your account factory with pre-approved network configuration and region selections. https://aws.amazon.com/controltower/features/
upvoted 14 times
heany
2 years, 7 months ago
A doesn't address ‘Each department should be allowed to create AWS accounts with preconfigured networking’ B and C doesn't address ' should have access to only a specific list of approved services' D doesn't make sense. If SCP can be added to B, then b is a perfect answer. Anyway this q&A is not a good one
upvoted 1 times
...
...
cldy
Most Recent 3 years, 6 months ago
B. Deploy an AWS Control Tower landing zone. Create an AD Connector linked to the on-premises Active Directory. Change the identity source in AWS Single Sign-On to use Active Directory. Allow department administrators to use Account Factory to create new member accounts and networking. Grant the departments AWS power user permissions on the created accounts.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
B is perfect
upvoted 1 times
...
student22
3 years, 7 months ago
B Control Tower + AD Connector + Account Factory
upvoted 2 times
...
andylogan
3 years, 7 months ago
It's B
upvoted 1 times
...
tgv
3 years, 7 months ago
BBB --- Key: "Each department should be allowed to create AWS accounts with preconfigured networking"
upvoted 1 times
...
WhyIronMan
3 years, 7 months ago
I'll go with B
upvoted 1 times
...
Waiweng
3 years, 7 months ago
it's B https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
upvoted 2 times
...
Kayode
3 years, 7 months ago
The answer is B https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
upvoted 2 times
...
TerrenceC
3 years, 8 months ago
Although option #A points out the key factor SCP, however, it does not emphasize its major functionality which is the service boundary in this case. All the options here are more about how to govern the accounts. According to the introduction (https://aws.amazon.com/controltower/?nc2=h_ql_prod_mg_ct), there are two highlights to make option #B is much more ideal than #A. 1) Blueprints are available to provide identity management, federate access to accounts, centralize logging, establish cross-account security audits, define workflows for provisioning accounts, and implement account baselines with network configurations. 2) Control Tower provides mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), or detect policy violations using AWS Config rules.
upvoted 4 times
...
KevinZhong
3 years, 8 months ago
Seems to be B ------------ AWS Control Tower seems to maintain the control of AWS Organizations, AWS Service Catalog and AWS Config ------ https://d1.awsstatic.com/whitepapers/aws-overview.pdf (46)
upvoted 1 times
...
Flosuccess
3 years, 8 months ago
Is service catalog not more in line with "access to only a specific list of approved services"? maybe C.
upvoted 3 times
mijeko8879
3 years, 7 months ago
C it is https://aws.amazon.com/blogs/mt/automate-account-creation-and-resource-provisioning-using-aws-service-catalog-aws-organizations-and-aws-lambda/
upvoted 3 times
...
...
eji
3 years, 8 months ago
I go for A, keyword "access to only a specific list of approved services. " it means SCP
upvoted 1 times
sarah_t
3 years, 8 months ago
In ControlTower you can apply guardrails to OUs (restricting what those accounts can do). With AccontFactory you can determine which OU the newly created account belongs to.
upvoted 1 times
...
...
awsnoob
3 years, 8 months ago
Should be A https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
upvoted 1 times
awsnoob
3 years, 8 months ago
Nvm, it is B. I misread the question.
upvoted 3 times
...
...
wasabidev
3 years, 8 months ago
I think A
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel