ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 118 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 118
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA) is required at login, and specific roles are assigned to user groups.

The company must create separate accounts for development. staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts. The development account and the staging account must have access only to each other.

Which combination of steps should a solutions architect take 10 meet these requirements? (Choose three.)

  • A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.
  • B. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.
  • C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.
  • D. Set up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate permission sets with required MFA for existing accounts.
  • E. Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.
  • F. Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognoto user pools and Identity pools to manage access to accounts and between accounts.
Show Suggested Answer Hide Answer
Suggested Answer: ACD 🗳️
by masetromain at Jan. 15, 2023, 5:04 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 2 years, 4 months ago
Selected Answer: ACD
The correct answer would be options A, C and D, because they address the requirements outlined in the question. A. Deploying a landing zone environment using AWS Control Tower and enrolling accounts in an organization in AWS Organizations allows for a centralized management of access to all accounts and applications. C. Creating transit gateways and transit gateway VPC attachments in each account and configuring appropriate route tables allows for private network traffic, and ensures that the production account and shared network account have connectivity to all accounts, while the development and staging accounts have access only to each other. D. Setting up and enabling AWS IAM Identity Center (AWS Single Sign-On) and creating appropriate permission sets with required MFA for existing accounts allows for multi-factor authentication at login and specific roles to be assigned to user groups.
upvoted 17 times
masetromain
2 years, 4 months ago
The other options are not correct because: B. Enabling AWS Security Hub in all accounts to manage cross-account access and collecting findings through AWS CloudTrail to force MFA login is not enough to meet the requirement of creating separate accounts for development, staging, production, and shared network. It can be used in addition to the other steps, but not as a standalone solution. E. Enabling AWS Control Tower in all accounts to manage routing between accounts and collecting findings through AWS CloudTrail to force MFA login is not enough to meet the requirement of creating separate accounts for development, staging, production, and shared network. It can be used in addition to the other steps, but not as a standalone solution.
upvoted 4 times
masetromain
2 years, 4 months ago
F. Creating IAM users and groups and configuring MFA for all users and setting up Amazon Cognito user pools and Identity pools to manage access to accounts and between accounts does not address the requirement of creating separate accounts for development, staging, production, and shared network. Additionally, it does not address the requirement of keeping the traffic on a private network.
upvoted 3 times
...
...
...
amministrazione
Most Recent 8 months, 2 weeks ago
A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations. C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables. D. Set up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate permission sets with required MFA for existing accounts.
upvoted 1 times
...
ajeeshb
1 year, 2 months ago
Selected Answer: ACD
A, C and D are right answers. Option C is though not clear. Transit gateway needs to be created in shared network account and tgw vpc attachment in all accounts. But option C says "create tgw and tgw vpc attachment in all accounts", which is a bit confusing
upvoted 2 times
8693a49
9 months, 2 weeks ago
Yes, you probably only need one TGW in the shared account
upvoted 1 times
...
...
career360guru
1 year, 4 months ago
Selected Answer: ACD
A, C and D
upvoted 1 times
...
shaaam80
1 year, 5 months ago
Selected Answer: ACD
Answer - ACD
upvoted 1 times
...
NikkyDicky
1 year, 10 months ago
Selected Answer: ACD
ACD easy
upvoted 1 times
...
Maria2023
1 year, 10 months ago
Selected Answer: ACD
ACD seems like the only technically achievable solution. B and E appear to be completely wrong and for F - I am not sure whether Cognito will do the job but for sure it would be extremely hard to implement that way.
upvoted 2 times
...
OCHT
2 years, 1 month ago
Selected Answer: ACD
Option E is not the most appropriate choice because it suggests enabling AWS Control Tower in all accounts to manage routing between accounts. However, AWS Control Tower is not primarily designed for managing routing between accounts; it is intended to set up and govern a secure, multi-account AWS environment. The transit gateways and VPC attachments in Option C are better suited for managing routing and connectivity between accounts.
upvoted 4 times
...
mfsec
2 years, 1 month ago
Selected Answer: ACD
ACD are the best choice
upvoted 1 times
...
spd
2 years, 2 months ago
Selected Answer: ACD
By Elimination Rule
upvoted 3 times
...
zhangyu20000
2 years, 3 months ago
ACD are correct.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago