ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 930 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 930
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is using AWS Organizations to manage multiple accounts. Due to regulatory requirements, the company wants to restrict specific member accounts to certain AWS Regions, where they are permitted to deploy resources. The resources in the accounts must be tagged, enforced based on a group standard, and centrally managed with minimal configuration.
What should a solutions architect do to meet these requirements?

  • A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
  • B. From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root.
  • C. Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
  • D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by SGES at Sept. 5, 2022, 1:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SGES
Highly Voted 2 years, 9 months ago
D - Agreed putting those member accounts with OU then use tagging policy and SCP based conditions to achieve required compliance.
upvoted 8 times
joancarles
2 years, 8 months ago
Link for an example: https://aws.amazon.com/es/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/
upvoted 1 times
...
...
ggrodskiy
Most Recent 1 year, 11 months ago
Correct D.
upvoted 1 times
...
masetromain
2 years, 5 months ago
Selected Answer: D
By applying a tag policy and an SCP using conditions to limit Regions, the architect can ensure that resources in the specific member accounts are tagged and deployed only in the allowed regions, which will meet the regulatory requirements. Option A: Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy, while this will limit the regions and apply a tag policy, it does not provide centralized management and enforcement of the restriction. Option B: From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root, this will disable regions for the specific member accounts and apply a tag policy, however, it does not provide a way to enforce the restriction or provide centralized management.
upvoted 1 times
masetromain
2 years, 5 months ago
Option C: Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions, this will limit the regions and apply a tag policy, but it does not provide centralized management and enforcement of the restriction. While option C, associating the specific member accounts with the root account, apply a tag policy and an SCP using conditions to limit Regions, is one way to achieve the regulatory compliance requirements, it may not be the most optimal solution. This approach doesn't provide a clear boundary between the member accounts that are subject to the regulatory compliance requirements and other member accounts that are not. Also, it could be harder to identify which accounts are subject to the requirements, as it could be lost in the bigger scope of the root account, this can make it more difficult to manage and monitor compliance.
upvoted 1 times
masetromain
2 years, 5 months ago
In contrast, creating a new organizational unit (OU) in the management account and associating the specific member accounts with that OU, as in option D, provides a clear boundary and a logical grouping of the member accounts that are subject to the regulatory compliance requirements. This approach makes it easier to identify which accounts are subject to the requirements, and it makes it more straightforward to manage and monitor compliance.
upvoted 1 times
...
...
...
akash_it
2 years, 8 months ago
Selected Answer: D
Agree with comments
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel