ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 34 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 34
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer data. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.
What is the MOST operationally efficient solution that meets these requirements?

  • A. Configure AWS CloudTrail in all Regions to record all API activity. Create an Amazon EventBridge (Amazon CloudWatch Events) rule in all unauthorized Regions for ec2:RunInstances events. Use AWS Lambda to terminate the launched EC2 instances.
  • B. In each AWS account, create a managed IAM policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to all IAM groups in each AWS account.
  • C. In each AWS account, create an IAM permissions boundary policy that uses a Region condition to deny the ec2:RunInstances action in all unauthorized Regions. Attach the permissions boundary policy to all IAM users in each AWS account.
  • D. Create a service control policy (SCP) in AWS Organizations to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to the root level of the organization.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by haxaffee at Aug. 31, 2022, 7:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
haxaffee
Highly Voted 2 years, 3 months ago
Selected Answer: D
Def D here. If this question has something like "Use Control Tower and setup the landing zone with provisioned regions" that would take be correct but there is no Control Tower option on this one.
upvoted 10 times
Mangesh_XI_mumbai
1 year, 1 month ago
you are right if control tower is mentioned somewhere it would be easy to answer this, that is what they tricked in the question here, coz without control tower too, we can use SCPs using organization. otherwise most of them would go for A.
upvoted 1 times
...
jipark
1 year, 4 months ago
chatGPT says : "Option D provides the most efficient solution because it offers centralized control, granularity, and automatic enforcement across the organization's accounts, without the need for implementing and maintaining additional mechanisms like CloudTrail, CloudWatch Events, Lambda functions, IAM policies, or permissions boundaries."
upvoted 1 times
...
koltysh
1 year, 5 months ago
What exact control tower you are talking about?
upvoted 1 times
...
...
Pisces225
Most Recent 1 month, 2 weeks ago
Selected Answer: D
D - just adding to consensus.
upvoted 1 times
...
tamng
12 months ago
D. Create a service control policy (SCP) in AWS Organizations to deny the ec2:RunInstances action in all unauthorized Regions. Attach this policy to the root level of the organization.
upvoted 1 times
...
michaldavid
2 years ago
Selected Answer: D
dddddddddd
upvoted 2 times
...
Liongeek
2 years, 1 month ago
Ans: D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel