ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 467 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 467
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is using AWS for production and development workloads. Each business unit has its own AWS account for production, and a separate AWS account to develop and deploy its applications. The Information Security department has introduced new security policies that limit access for terminating certain Amazon
EC2 instances in all accounts to a small group of individuals from the Security team.
How can the Solutions Architect meet these requirements?

  • A. Create a new IAM policy that allows access to those EC2 instances only for the Security team. Apply this policy to the AWS Organizations master account.
  • B. Create a new tag-based IAM policy that allows access to these EC2 instances only for the Security team. Tag the instances appropriately, and apply this policy in each account.
  • C. Create an organizational unit under AWS Organizations. Move all the accounts into this organizational unit and use SCP to apply a whitelist policy to allow access to these EC2 instances for the Security team only.
  • D. Set up SAML federation for all accounts in AWS. Configure SAML so that it checks for the service API call before authenticating the user. Block SAML from authenticating API calls if anyone other than the Security team accesses these instances.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Moon at Oct. 5, 2019, 12:43 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Moon
Highly Voted 3 years, 9 months ago
I prefer answer "B". A: applying policy to master account does not mean Security Team! B: using tags on EC2s. Then use an IAM policy restrictions/rules on these taged instances. C: Organizational unit is used to limit the access, but not to provide privileges. D: SAML is used for federation with on premise, which is not the case here!
upvoted 51 times
NickGR
3 years, 8 months ago
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
upvoted 1 times
...
examacc
3 years, 9 months ago
this way you cannot limit root from controlling the targeted instances
upvoted 2 times
9Ow30
3 years, 9 months ago
Can you explain what you mean? We can do something like this, right? https://aws.amazon.com/premiumsupport/knowledge-center/restrict-ec2-iam/
upvoted 2 times
exergeng
3 years, 8 months ago
IAM user is different from aws account. Not using IAM role/AWS organization ,it is not possible to manage access privileges of other aws accounts. choose C
upvoted 1 times
...
...
...
Smart
3 years, 9 months ago
Agreed. B vs. C: SCPs are similar to IAM permission policies and use almost the same syntax. However, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html#scp-effects-on-permissions
upvoted 7 times
Smart
3 years, 9 months ago
Revisiting this question. There is no mention of cross-account access. I am not sure if this should be automatically assumed. I wonder if option D can be an option (it doesn't have to have on-prem setup). Even in that, identities are authenticated & federated then authorized based on role; here it seems to be happening other way around.
upvoted 1 times
...
...
...
RVivek
Highly Voted 3 years, 5 months ago
It seems the answers are not forthis question. the correct set of answers A. Modify the application to call the web service via Amazon API Gateway Then create a new AWS Lambda Java function to run the Java web service code After testing change API Gateway to use the Lambda function B. Lift and shift the Apache server to the cloud using AWS SMS Then switch the application to direct web service traffic to the new instance C. Create a Docker image and migrate the image to Amazon ECS Then change the application code to direct web service queries to the ECS container D. Use AWS Elastic Beanstalk to deploy the Java web service and enable Auto Scaling Then switch the application to use the new web service Answer: D
upvoted 37 times
...
3a632a3
Most Recent 1 year, 6 months ago
Selected Answer: C
C is the most straight forward answer to achieve what is being asked. The question is asking to "limit access" which is what SCPs are designed to do. The question does not ask to grant access to the security team.
upvoted 1 times
marszalekm
1 year, 5 months ago
This is exactly opposite of what SCP do, the deny by default, not allow.
upvoted 1 times
...
...
SkyZeroZx
2 years ago
Selected Answer: C
Here's how option C addresses the requirements: Create an organizational unit (OU) under AWS Organizations: AWS Organizations allows you to centrally manage and govern multiple AWS accounts. By creating an OU specifically for the accounts related to the company's production and development workloads, you can organize them in a logical structure. Move all the accounts into the organizational unit: Once the OU is created, you can move the existing AWS accounts for production and development workloads into this OU. This helps in centralizing the management of these accounts. Use Service Control Policies (SCPs): SCPs allow you to set fine-grained permissions and access controls for AWS accounts within an organization. You can create an SCP that specifies a whitelist policy, allowing access to terminate specific EC2 instances only for the Security team. By applying this SCP to the OU that contains the accounts, you enforce the access restrictions across all the relevant accounts.
upvoted 1 times
SkyZeroZx
2 years ago
Option A (Create a new IAM policy and apply it to the AWS Organizations master account) is not the recommended approach because IAM policies are account-specific and cannot be directly applied to the AWS Organizations master account. Option B (Create a tag-based IAM policy and apply it in each account) would require manual tagging of the EC2 instances and applying the policy in each account separately, which can be cumbersome and prone to errors. Option D (Set up SAML federation and block authentication for API calls) is not the most direct solution for limiting access to terminating EC2 instances. SAML federation primarily focuses on federated access and single sign-on (SSO) and may not provide the necessary granularity for restricting access to specific EC2 instances. Therefore, option C (creating an organizational unit, moving the accounts, and applying an SCP) is the most suitable option for meeting the requirements and enforcing the access restrictions effectively.
upvoted 1 times
...
...
dev112233xx
2 years, 2 months ago
Selected Answer: C
I prefer C.. organization solution is the best for multi-accounts restrictions, and you can create SCP policy to allow only security team to perform the ec2 actions B can't be correct, users can easily workaround the restriction by changing the instances Tags of the instances then terminate them without any issue (the correct policy should be restricting according to the users-tags not the instances-tags)
upvoted 1 times
...
Lorrendo
2 years, 7 months ago
Selected Answer: B
IAM Policy + Tag -> ABAC model https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
upvoted 1 times
...
AjayPrajapati
2 years, 8 months ago
Selected Answer: B
B mentions about applying the policy to all account which make sense vs applying to master account in A
upvoted 1 times
...
kharakbeer
2 years, 8 months ago
Selected Answer: B
B is the correct answer
upvoted 1 times
...
Yashar1691
2 years, 8 months ago
Selected Answer: B
B is correct.
upvoted 1 times
...
dmscountera
2 years, 9 months ago
Selected Answer: B
Based on all comments
upvoted 2 times
...
Rocketeer
2 years, 10 months ago
Answer seems to be C - https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/#:~:text=For%20example%2C%20you%20can%20use,used%20for%20your%20central%20administrators.
upvoted 2 times
...
LiamNg
3 years, 2 months ago
Selected Answer: A
The Answer are corresponding the incorrect qestion. Here're the ans: • A. Use AWS Elastic Beanstalk to deploy the Java web service and enable Auto Scaling. Then switch the application to use the new web service. • B. Lift and shift the Apache server to the cloud using AWS SMS. Then switch the application to direct web service traffic to the new instance. • C. Create a Docker image and migrate the image to Amazon ECS. Then change the application code to direct web service queries to the ECS container. • D. Modify the application to call the web service via Amazon API Gateway. Then create a new AWS Lambda Java function to run the Java web service code. After testing, change API Gateway to use the Lambda function. Correct Answer should be : A (least effort)
upvoted 6 times
user0001
3 years, 1 month ago
i agree with you , answers are not related to this question
upvoted 1 times
...
...
sTeVe86
3 years, 5 months ago
To me: this question doesn't match with the answers, didn't make any scenes.
upvoted 11 times
...
GeniusMikeLiu
3 years, 5 months ago
what's the main point about this question? I am confused after read.
upvoted 2 times
...
Duke_YU
3 years, 5 months ago
I don't understand this question and answers at all. The question is about to "The organization needs a smooth transfer of the program to AWS and the ability for the application to scale in response to demand". Why the answers are about IAM and security team? Couldn't Auto Scaling groups and Route 53 and CNAME records satisfy the requirement?
upvoted 4 times
Bigbearcn
3 years, 5 months ago
They made mistake. This is question 466 and the answer option is 467.
upvoted 3 times
...
...
student22
3 years, 8 months ago
B --- Not D because we need to limit access to ec2 instances, not ec2 service.
upvoted 1 times
...
WhyIronMan
3 years, 8 months ago
I'll go with B
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel