ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 436 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 436
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A large company experienced a drastic increase in its monthly AWS spend. This is after Developers accidentally launched Amazon EC2 instances in unexpected regions. The company has established practices around least privileges for Developers and controls access to on-premises resources using Active Directory groups. The company now want to control costs by restricting the level of access that Developers have to the AWS Management Console without impacting their productivity. The company would also like to allow Developers to launch Amazon EC2 in only one region, without limiting access to other services in any region.
How can this company achieve these new security requirements while minimizing the administrative burden on the Operations team?

  • A. Set up SAML-based authentication tied to an IAM role that has an AdministrativeAccess managed policy attached to it. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.
  • B. Create an IAM user for each Developer and add them to the developer IAM group that has the PowerUserAccess managed policy attached to it. Attach a customer managed policy that allows the Developers access to Amazon EC2 only in the required region.
  • C. Set up SAML-based authentication tied to an IAM role that has a PowerUserAccess managed policy and a customer managed policy that deny all the Developers access to any AWS services except AWS Service Catalog. Within AWS Service Catalog, create a product containing only the EC2 resources in the approved region.
  • D. Set up SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to it. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by dpvnme at Sept. 18, 2019, 5:11 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 10 months ago
D A: This will grant too much access. B: Should be SAML based due to the AD Group. C: This will block the developer from other access that they may need. Key is “any AWS services”.
upvoted 34 times
...
Moon
Highly Voted 3 years, 10 months ago
agree with "donathon", Answer D is the correct one for the same reasons. The tricks here are: - SAML for AD federation and authentication - PowerUserAccess vs AdministrativeAccess. (PowerUSer has less privilege, which is the required once for developers). Admin, has more rights. The description of "PowerUser access" given by AWS is “Provides full access to AWS services and resources, but does not allow management of Users and groups.”
upvoted 19 times
...
SkyZeroZx
Most Recent 2 years, 1 month ago
Selected Answer: D
agree with "donathon", Answer D is the correct one for the same reasons. The tricks here are: - SAML for AD federation and authentication - PowerUserAccess vs AdministrativeAccess. (PowerUSer has less privilege, which is the required once for developers). Admin, has more rights. The description of "PowerUser access" given by AWS is “Provides full access to AWS services and resources, but does not allow management of Users and groups.”
upvoted 1 times
...
mimadour21698
2 years, 3 months ago
Selected Answer: D
Go for D
upvoted 1 times
...
mrgreatness
2 years, 9 months ago
D - federate access, so just one role which can be assumed and attached the power user policy and then another policy with condition to restrict region. I recreated this. 100pc D
upvoted 1 times
...
pixepe
2 years, 11 months ago
C is ruled out as "The company would also like to allow Developers to launch Amazon EC2 in only one region, without limiting access to other services in any region."
upvoted 1 times
pixepe
2 years, 11 months ago
Hence D is only correct answer.
upvoted 1 times
...
...
AzureDP900
3 years, 7 months ago
D is more logical answer based on question --- > without restricting access to other services in any region C only giving access to EC2 service and nothing else..
upvoted 1 times
...
cldy
3 years, 8 months ago
D. Set up SAML-based authentication tied to an IAM role that has the PowerUserAccess managed policy attached to it. Attach a customer managed policy that denies access to Amazon EC2 in each region except for the one required.
upvoted 1 times
...
AzureDP900
3 years, 8 months ago
D is right
upvoted 1 times
...
seyik
3 years, 9 months ago
C. AWS Service Catalog allows you to centrally manage deployed IT services and your applications, resources, and metadata. This helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need. With AWS Service Catalog AppRegistry, organizations can understand the application context of their AWS resources. https://aws.amazon.com/servicecatalog/?aws-service-catalog.sort-by=item.additionalFields.createdDate&aws-service-catalog.sort-order=desc
upvoted 1 times
...
andylogan
3 years, 9 months ago
It's D - exclude C because "deny all the Developers access to any AWS services except AWS Service Catalog."
upvoted 2 times
...
WhyIronMan
3 years, 9 months ago
I'll go with D
upvoted 1 times
...
Akhil254
3 years, 9 months ago
D Correct
upvoted 1 times
...
Radhaghosh
3 years, 9 months ago
Two aspects in this question. The first is "restricting the level of access that Developers have to the AWS Management Console without impacting their productivity" -- This eliminates Option A (as user should have "PowerUserAccess" role. Second point is "The company would also like to allow Developers to launch Amazon EC2 in only one region, without limiting access to other services in any region." - this eliminates Option C. Now to provide access via on-premises Active Directory groups, you need SAML. So Correct Option is C
upvoted 1 times
Radhaghosh
3 years, 9 months ago
I am sorry for typo. Correct Option is D
upvoted 2 times
...
...
Waiweng
3 years, 9 months ago
D is correct
upvoted 2 times
...
Kian1
3 years, 9 months ago
Will go with D
upvoted 2 times
...
Ebi
3 years, 9 months ago
D is answer
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel