ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 916 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 916
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is building dozens of new workloads by using a variety of AWS services. Each workload will belong to a separate business unit. The company needs to minimize costs as each business unit experiments with ways to innovate. The company also needs to maximize scalability for its security team so that the security team can identify and respond to threats as quickly as possible for all the workloads.
Which combination of actions should a solutions architect take to meet these requirements? (Choose three.)

  • A. Set up a multi-account environment by using AWS Organizations. Organize accounts into the following OUs: Security, Infrastructure, Workloads, and Exception.
  • B. Set up a multi-account environment by using AWS Organizations. Organize accounts into the following SCPs: Security, Infrastructure, Workloads, and Exception.
  • C. Configure AWS Trusted Advisor to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU. Apply an SCP at the root of the organization with a condition that matches the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS.
  • D. Use AWS Budgets alerts to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU. Apply an SCP to the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS.
  • E. Turn on Amazon GuardDuty in each account. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the topic so that the security team can receive alerts.
  • F. Create a delegated administrator account for Amazon GuardDuty in the organization in AWS Organizations. Create an Amazon Simple Notification Service (Amazon SNS) topic in this account. Subscribe the security team to the topic so that the security team can receive alerts.
Show Suggested Answer Hide Answer
Suggested Answer: ADF 🗳️
by cale at Sept. 7, 2022, 3:33 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AwsBRFan
Highly Voted 2 years, 9 months ago
Selected Answer: ADF
Not sure but considering F: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
upvoted 8 times
Biden
2 years, 9 months ago
Yes...An account needs to be dedicated as Delegated Admin for Guard Duty, hence ADF
upvoted 3 times
...
...
gnandam
Highly Voted 2 years, 8 months ago
A B- SCP is a policy cannot group accounts C- Trusted Adviser can only do assessment and recommendations D E - Guard Duty need delegated admin account F
upvoted 5 times
masetromain
2 years, 5 months ago
You are correct that GuardDuty does require a delegated administrator account to be set up in the organization in AWS Organizations before it can be enabled. However, option F suggests that creating a delegated administrator account for GuardDuty is the only solution for maximizing scalability for the security team, which is not necessarily the case. You can use other solution like the one I mentioned before: E. Turn on Amazon GuardDuty in each account. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the topic so that the security team can receive alerts. Creating a delegated administrator account for GuardDuty is a necessary step in order to enable GuardDuty, but it alone is not sufficient to maximize scalability for the security team. The security team will also need to be notified of any security issues that GuardDuty detects, and that is done by subscribing the security team to an SNS topic as mentioned in option E.
upvoted 1 times
...
...
ggrodskiy
Most Recent 1 year, 11 months ago
Correct adf
upvoted 1 times
...
dev112233xx
2 years, 1 month ago
Selected Answer: ACF
D- AWS Budgets alerts CAN'T invoke an AWS Lambda function! Only SNS topic
upvoted 1 times
...
zozza2023
2 years, 4 months ago
Selected Answer: ADF
Not sure between E and F
upvoted 1 times
...
masetromain
2 years, 5 months ago
Selected Answer: ADE
A: Using AWS Organizations, the company can set up a multi-account environment and organize accounts into different OUs based on the business unit. This will help the company to minimize costs as each business unit experiments with ways to innovate. D: Using AWS Budgets and Lambda function, the company can set a budget threshold for each workload and move the account that exceeds the threshold to the exception OU, this will help the company to minimize costs. E: By turning on Amazon GuardDuty in each account, the company can detect and respond to threats as quickly as possible for all the workloads. And by subscribing the security team to the Amazon SNS topic, the company can ensure that the security team is alerted of any security issues.
upvoted 1 times
masetromain
2 years, 5 months ago
B: Organizing the accounts into SCPs, is another way to organize the accounts but not necessary in this case, OUs are sufficient for this requirement. C: Configuring AWS Trusted Advisor to invoke an AWS Lambda function to move an AWS account that reaches a predefined budget threshold into the Exception OU, this is similar to what is done in D but Trusted Advisor is not necessary in this case as AWS Budgets and Lambda function can already achieve this. F: Creating a delegated administrator account for Amazon GuardDuty in the organization in AWS Organizations is not necessary as it is possible to enable GuardDuty in each individual account.
upvoted 1 times
masetromain
2 years, 5 months ago
"Guard Duty need delegated admin account no ? so why not F ?" You are correct that GuardDuty does require a delegated administrator account to be set up in the organization in AWS Organizations before it can be enabled. However, option F suggests that creating a delegated administrator account for GuardDuty is the only solution for maximizing scalability for the security team, which is not necessarily the case. You can use other solution like the one I mentioned before: E. Turn on Amazon GuardDuty in each account. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team to the topic so that the security team can receive alerts. Creating a delegated administrator account for GuardDuty is a necessary step in order to enable GuardDuty, but it alone is not sufficient to maximize scalability for the security team. The security team will also need to be notified of any security issues that GuardDuty detects, and that is done by subscribing the security team to an SNS topic as mentioned in option E.
upvoted 1 times
...
...
...
mrgreatness
2 years, 7 months ago
AD F .. delegated admin can enable GD on the memeber accounts. What we expect the admin to do, go to all accounts an enable GD or just use a delegated admin, makes more sense to me
upvoted 1 times
...
fdoxxx
2 years, 7 months ago
Selected Answer: AEF
Regarding D - "Apply an SCP to the Exception OU to limit usage to core services, including Amazon EC2, Amazon S3, and Amazon RDS." - will eliminate the danger to exceed budget - one can easily make a huge bill on EC2s or RDS only. I don't like the idea of automatization of account movement between OU's - there is not enough info what criteria would be applied here
upvoted 1 times
...
JohnPi
2 years, 8 months ago
Selected Answer: ADF
A D https://aws.amazon.com/blogs/mt/smart-budgeting-using-lambda-and-service-catalog/ F https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
upvoted 1 times
...
dcdcdc3
2 years, 8 months ago
ADF D: https://aws.amazon.com/blogs/mt/manage-cost-overruns-part-1/
upvoted 1 times
...
cale
2 years, 9 months ago
Selected Answer: ADE
In my opinion, the SCP should be applied to the Exception OU only so D instead of C.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel