exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 307 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 307
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed. The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket.
Which solution meets these requirements with the LEAST amount of operational overhead?

  • A. Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
  • B. Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
  • C. Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
  • D. Invite all of the company's AWS accounts into AWS Control Tower. Use AWS Control Tower's automatic protection for the AWS accounts to deny access from external users.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
jayaj
Highly Voted 3 years, 5 months ago
C is correct. Once all the AWS accounts are invited to the organization, you can define the aws:PrincipalOrgID condition and set the value to your organization ID in the S3 bucket policy. Then only the accounts in your Organization can access the S3 bucket and any new account also will have the same policy applied.
upvoted 9 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
Correct answer is C.
upvoted 1 times
...
Toptip
2 years, 1 month ago
Selected Answer: C
C makes sense.. use "aws:PrincipalOrgID" in bucket policy
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
Organizations provide a centralized location where accounts can be managed, with the least amount of operational overhead. C
upvoted 1 times
...
gerches
2 years, 2 months ago
Selected Answer: C
It is not B because says to maintain a list, using orgID is faster
upvoted 1 times
...
G4Exams
2 years, 2 months ago
Selected Answer: C
CT is best practice but the scenario asks for LEAST operational overhead so it's definitely C.
upvoted 1 times
...
sapien45
2 years, 11 months ago
Selected Answer: C
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/ To require the principal account to be in my organization, I add a condition to my policy using the global condition key aws:PrincipalOrgID. This condition requires that only principals from accounts in my organization can access the S3 bucket. This means that although Steve is one of the principals in the policy, he can’t access the financial report because the account that he is a member of doesn’t belong to my organization.
upvoted 1 times
...
AliS2020
3 years, 5 months ago
C is correct AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrgID, in these policies to require all principals accessing the resource to be from an account (including the master account) in the organization. For example, let’s say you have an Amazon S3 bucket policy and you want to restrict https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
Option C is Correct Question asks about "organization wishes to block customers who do not have company-owned AWS accounts from accessing a corporate-owned Amazon S3 bucket." --> All comapany accounts should be in Organization to Use the aws:PrincipalOrgID
upvoted 1 times
...
argol
3 years, 6 months ago
AWS Control Tower creates your landing zone using AWS Organizations, thereby bringing together ongoing account management and governance, as well as implementation of best practices based on our experience of working with thousands of customers as they migrate to the cloud. AWS CT lets builders provision new AWS accounts in just a few clicks, while you have peace of mind knowing that your accounts conform to company-wide policies. AWS customers can implement AWS CT, extend governance into new or existing accounts, and quickly gain visibility into their compliance status. should be "C"
upvoted 1 times
aj2aj2
3 years, 4 months ago
Why not B ! AWS CT - simplifies(Faster) the process of setting up new multi-account environments with predefined security baseline templates.
upvoted 2 times
...
...
roger8978
3 years, 6 months ago
Sorry. I read the options again. C actually talks about adding ALL AWS accounts.
upvoted 1 times
...
roger8978
3 years, 6 months ago
A - No B- Yes. Also talk about S3 bucket protection C - No. The question is asking to maintain ALL the accounts not just AWS accounts. D - No. It could've been correct but it doesn’t talk about S3 protection
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...