ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 380 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 380
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A large company organizes hundreds of AWS accounts in AWS Organizations in Developer, Test, and Production OUs. Developers who have full administrative privileges in their respective accounts use the accounts in the Developer OU. The company wants to allow only certain Amazon EC2 instance types to be used within the Developer OU.

How can the company prevent developer accounts from launching unapproved EC2 instance types?

  • A. Create a now launch template in each AWS account in the Developer OU to deny the ec2:RunInstances API call for instance types that are not in an approved list Associate these templates with all IAM principals in the account.
  • B. Create an IAM policy to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to all IAM principals in all the AWS accounts in the Developer OU.
  • C. Use a managed SCP that is attached to the organization's root account to deny the ec2:RunInstances API call for instance types that are not in an approved list
  • D. Create an SCP to deny the ec2:RunInstances API call for instance types that are not in an approved list. Attach the policy to the Developer OU.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Isaias at Nov. 25, 2022, 12:13 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Isaias
Highly Voted 2 years, 7 months ago
Selected Answer: D
D for me C incorrect cannot modify a managade scp
upvoted 6 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
D is the correct answer. The request is to allow "certain Amazon EC2 instance types " for developers who have full access on accounts in certain OU. Best approach is to limit them through SCP that is applied to that OU, using IAM condition element "ec2:InstanceType". Ex. --- "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": ["arn:aws:ec2:*:*:instance/*"], "Condition": {"StringNotEquals": {"ec2:InstanceType": "t2.micro"}} ---
upvoted 1 times
...
Toptip
2 years, 1 month ago
Selected Answer: D
D is good but not the best approach to handle such scenario. better to Deny with StringNotEquals condition if the region is not the desired region (much easier to maintain): "StringNotEquals": { "ec2:Region": "ALLOWED REGION" },
upvoted 1 times
...
nairj
2 years, 2 months ago
D is correct. It's all about using SCP at the OU to restric access instead of applying IAM based controls at the account level.
upvoted 3 times
...
secdaddy
2 years, 6 months ago
Organizations and OU = SCP Create the policy : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html#example-ec2-1 attach the policy to an OU https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html
upvoted 2 times
...
Singhh
2 years, 7 months ago
Selected Answer: D
requirement is developer OU , C has root OU which is wrong
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel