ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 910 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 910
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is using AWS Single Sign-On (AWS SSO) to centrally manage permissions and access to multiple AWS accounts in AWS Organizations. A solutions architect needs to provide users with granular access to AWS accounts based on different job functions.
What should the solutions architect do to meet these requirements?

  • A. Create an IAM group for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign roles to the corresponding groups in all AWS accounts.
  • B. Create a group in AWS SSO for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign groups to AWS accounts with corresponding permission sets.
  • C. Create an IAM role for each job function in all AWS accounts. Create a group in the management account for each job function. In AWS SSO for the management account, create a permission set for each job function.
  • D. Create an IAM role for each job function in the management account. In AWS SSO for the management account, create a permission set for each IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by SGES at Sept. 6, 2022, 5:22 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
pixepe
Highly Voted 2 years, 9 months ago
Answer seems to be B Snippet: "You can also add the users that you create in AWS SSO to groups you create in AWS SSO. In addition, you can create permissions sets that define permitted actions on an AWS resource, and assign them to your users and groups. For example, you can grant the DevOps group permissions to your production AWS accounts. When you add users to the DevOps group, they get access to your production AWS accounts automatically." REf - https://aws.amazon.com/blogs/security/how-to-create-and-manage-users-within-aws-sso/ PS - New service is - AWS IAM Identity Center (Successor to AWS Single Sign-On)
upvoted 8 times
...
masetromain
Most Recent 2 years, 5 months ago
Selected Answer: B
The most appropriate solution for the given requirement is option B. The solutions architect should create a group in AWS SSO for each job function and in the management account create a permission set for each job function. Then adding users to the appropriate groups and assigning groups to AWS accounts with corresponding permission sets. This approach allows the solutions architect to create granular permissions for different job functions by creating separate groups for each job function, and assigning the corresponding permission sets to each group. This way all the users in that group will have the permissions based on the job function. AWS SSO is a central service to manage access to multiple AWS accounts, and it allows you to create groups and assign different permission sets to them, in addition it allows you to connect these groups with AWS Accounts.
upvoted 1 times
...
janvandermerwer
2 years, 7 months ago
Selected Answer: B
B - This is how we setup new AWS client environments.
upvoted 1 times
...
akash_it
2 years, 8 months ago
Selected Answer: B
B is correct
upvoted 4 times
...
saidmaziz
2 years, 8 months ago
it's should be B
upvoted 1 times
...
Cloudxie
2 years, 9 months ago
B, and use that single permission set to grant access to a list of target AWS accounts within your AWS Organization IAM Identity Center assigns access to a user or group in one or more AWS accounts with permission sets. When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles.
upvoted 4 times
...
SGES
2 years, 9 months ago
D - create role and policy permission in management account for granular control
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel