ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 911 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 911
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.
A solutions architect needs to enforce the new process in the most secure way possible.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
  • B. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
  • C. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
  • D. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization.
  • E. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by Ni_yot at Sept. 17, 2022, 3:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ni_yot
Highly Voted 2 years, 9 months ago
Agree A and D
upvoted 11 times
...
superuser784
Highly Voted 2 years, 7 months ago
Selected Answer: AD
A and D, for those asking why not D: consolidated billing features DOES NOT include SCP, and All Features (which is the default option) Includes consolidated Billing Features and SCP.
upvoted 5 times
...
masetromain
Most Recent 2 years, 5 months ago
Selected Answer: AD
By putting all the accounts into an organization using AWS Organizations allows the solution architect to centrally manage and apply policies across all accounts. By using Service Control policies (SCP) to deny access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action, it will enforce the new process across all the accounts. This will ensure that the only way to purchase or modify reserved instances is by following the centralized procurement process, and no one can do it autonomously anymore. It's more secure than using Config, as Config is used for monitoring and auditing rather than enforcement, and it's less secure than using IAM policies, as IAM policies only control the access of users and roles that are attached to it, but SCPs are more comprehensive and can affect all the services across accounts.
upvoted 1 times
...
janvandermerwer
2 years, 7 months ago
Selected Answer: AD
B and C will be very painful to administer "hundreds of accounts" E - Options in E are covered under A "all features enabled" Leaving A and D as the remaining options. - By deploying an SCP, this will ensure new accounts also have policies applied automatically.
upvoted 1 times
...
Tokyo344
2 years, 7 months ago
A&D "enabling all features makes it possible to use SCPs, be sure that your account administrators understand the effects of attaching SCPs to the organization, organizational units, or accounts. SCPs can restrict what users and even administrators can do in affected accounts." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html
upvoted 1 times
...
firstabed
2 years, 8 months ago
AD correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel