ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 132 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 132
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company manages multiple AWS accounts by using AWS Organizations. Under the root OU, the company has two OUs: Research and DataOps.

Because of regulatory requirements, all resources that the company deploys in the organization must reside in the ap-northeast-1 Region. Additionally, EC2 instances that the company deploys in the DataOps OU must use a predefined list of instance types.

A solutions architect must implement a solution that applies these restrictions. The solution must maximize operational efficiency and must minimize ongoing maintenance.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Create an IAM role in one account under the DataOps OU. Use the ec2:InstanceType condition key in an inline policy on the role to restrict access to specific instance type.
  • B. Create an IAM user in all accounts under the root OU. Use the aws:RequestedRegion condition key in an inline policy on each user to restrict access to all AWS Regions except ap-northeast-1.
  • C. Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU.
  • D. Create an SCP. Use the ec2:Region condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU, the DataOps OU, and the Research OU.
  • E. Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
OCHT
Highly Voted 1 year, 10 months ago
Selected Answer: CE
C. Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU. This will ensure that all resources deployed in the organization reside in the ap-northeast-1 Region. E. Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU. This will ensure that EC2 instances deployed in the DataOps OU use only the predefined list of instance types.
upvoted 5 times
OCHT
1 year, 10 months ago
Option D is incorrect because it suggests using the ec2:Region condition key to restrict access to all AWS Regions except ap-northeast-1. However, the ec2:Region condition key is not a valid condition key for EC2 actions. Instead, the aws:RequestedRegion condition key should be used to restrict access to specific AWS Regions. Additionally, applying the SCP to the root OU, the DataOps OU, and the Research OU is unnecessary because applying the SCP to the root OU alone will ensure that the restriction applies to all accounts in the organization, including those in the DataOps and Research OUs. In summary, option D is incorrect because it suggests using an invalid condition key and because applying the SCP to multiple OUs is unnecessary.
upvoted 3 times
...
...
princajen
Most Recent 1 week, 5 days ago
Selected Answer: CE
To enforce organization-wide region restrictions and instance type controls efficiently, use SCPs. Option C uses aws:RequestedRegion in an SCP attached to the root OU, which restricts all accounts to deploy only in ap-northeast-1. Option E uses ec2:InstanceType in an SCP attached to the DataOps OU, restricting EC2 launches to approved instance types only in that OU. IAM roles or inline policies would require per-account maintenance and don’t scale — so SCPs are the correct governance solution here.
upvoted 1 times
...
career360guru
1 year, 1 month ago
Selected Answer: CE
Option C & E
upvoted 1 times
...
venvig
1 year, 5 months ago
Selected Answer: CE
Very straightforward
upvoted 2 times
...
dtha1002
1 year, 6 months ago
Selected Answer: CE
C for all resources region and E for DataOps OU launch instantce type
upvoted 1 times
...
NikkyDicky
1 year, 7 months ago
Selected Answer: CE
its CE
upvoted 1 times
...
mfsec
1 year, 10 months ago
Selected Answer: CE
SCP's are the most efficient here
upvoted 1 times
...
tatdatpham
2 years ago
Selected Answer: CE
With AWS Org, consider SCP first. In this scenario, Only C,D,E are mention about SCP, but D apply for all, not only the DataOps OU
upvoted 4 times
...
masetromain
2 years, 1 month ago
Selected Answer: CE
The correct options are C and E. Option C: Create an SCP. Use the aws:RequestedRegion condition key to restrict access to all AWS Regions except ap-northeast-1. Apply the SCP to the root OU. This option is correct because it allows the company to restrict access to all AWS regions except for ap-northeast-1. This ensures that all resources deployed in the organization must reside in the ap-northeast-1 region. By applying the SCP to the root OU, it ensures that all accounts and OUs under the root will be affected. Option E: Create an SCP. Use the ec2:InstanceType condition key to restrict access to specific instance types. Apply the SCP to the DataOps OU. This option is correct because it allows the company to restrict access to specific instance types, which is required for the DataOps OU. By applying the SCP to the DataOps OU, it ensures that only resources deployed in the DataOps OU will be affected by the restriction.
upvoted 4 times
masetromain
2 years, 1 month ago
Option A is incorrect because it only restricts access to specific instance types, but it does not restrict access to a specific region. Option B is incorrect because it is applied to IAM users rather than OUs, which would not effectively apply the restriction to all resources in the organization. Option D is incorrect because it uses the ec2:Region condition key which would not allow to restrict the instances types only in the DataOps OU. By creating an SCP that uses the aws:RequestedRegion condition key and restricting access to all regions except ap-northeast-1 and applying it to the root OU, this ensures that all resources deployed in the organization will reside in the ap-northeast-1 Region. By creating an SCP that uses the ec2:InstanceType condition key and restricts access to specific instance types and applying it to the DataOps OU, this ensures that all EC2 instances deployed in the DataOps OU will use the predefined list of instance types.
upvoted 1 times
...
...
zhangyu20000
2 years, 1 month ago
CE is correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel