ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 650 discussion

Exam question from Amazon's AWS-SysOps
Question #: 650
Topic #: 1
[All AWS-SysOps Questions]

A company is using AWS Organizations to manage all their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts.
Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts within the LEAST administrative overhead?

  • A. Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts.
  • B. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
  • C. Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts.
  • D. Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non- certified services when found in a production account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by coolboylqy at Sept. 19, 2019, 2:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kkwang
Highly Voted 2 years, 7 months ago
B is the correct answer
upvoted 15 times
...
albert_kuo
Most Recent 10 months ago
Selected Answer: B
In this scenario, you can create an OU specifically for the production accounts and apply a restrictive SCP that whitelists only the certified services. This ensures that only the approved services are allowed within the production environment. On the other hand, for the development accounts, you can apply a less restrictive SCP or no SCP at all. This allows developers to experiment with uncertified services without hindrance. This approach minimizes administrative overhead as it provides centralized control through SCPs at the OU level. It ensures that the desired services are restricted in production accounts while allowing flexibility in the development accounts.
upvoted 1 times
...
asfsdfsdf
2 years, 2 months ago
Selected Answer: B
B looks good as it matches LEAST administrative overhead
upvoted 1 times
...
TroyMcLure
2 years, 6 months ago
Correct Answer: B
upvoted 1 times
...
RicardoD
2 years, 6 months ago
B is the answer
upvoted 1 times
...
abhishek_m_86
2 years, 6 months ago
B. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
upvoted 2 times
...
jackdryan
2 years, 7 months ago
I'll go with B
upvoted 2 times
...
MFDOOM
2 years, 7 months ago
B. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts.
upvoted 2 times
...
joe_smoe
2 years, 7 months ago
B is the answer, whitelisting is easier to do. everything else is blacklisted due to implicit deny principle.
upvoted 2 times
...
Kilonso
2 years, 7 months ago
Ans B is correct
upvoted 1 times
...
cloud
2 years, 7 months ago
B is the answer
upvoted 1 times
...
coolboylqy
2 years, 7 months ago
should it be A?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago