Topic 1 Question 261
3 つ選択A company has many separate AWS accounts and uses no central billing or management. Each AWS account hosts services for different departments in the company. The company has a Microsoft Azure Active Directory that is deployed.
A solutions architect needs to centralize billing and management of the company’s AWS accounts. The company wants to start using identity federation instead of manual user management. The company also wants to use temporary credentials instead of long-lived access keys.
Which combination of steps will meet these requirements?
Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation.
Configure each AWS account's email address to be aws+
@example.com so that account management email messages and invoices are sent to the same place. Deploy AWS IAM Identity Center (AWS Single Sign-On) in the management account. Connect IAM Identity Center to the Azure Active Directory. Configure IAM Identity Center for automatic synchronization of users and groups.
Deploy an AWS Managed Microsoft AD directory in the management account. Share the directory with all other accounts in the organization by using AWS Resource Access Manager (AWS RAM).
Create AWS IAM Identity Center (AWS Single Sign-On) permission sets. Attach the permission sets to the appropriate IAM Identity Center groups and AWS accounts.
Configure AWS Identity and Access Management (IAM) in each AWS account to use AWS Managed Microsoft AD for authentication and authorization.
ユーザの投票
コメント(13)
- 正解だと思う選択肢: ACE
Yes ACE - A for a new Management account: C for SSO; E for permissions to IAM
👍 7gd12023/06/24 - 正解だと思う選択肢: ACE
A) Creating a master account to manage organizations on AWS and invite them sounds like a good idea and is recommended. B) Has no sense C ) In AWS Single Sign On adding Azure AD as trust sounds like a good idea and it is the usual way to do it as well as creating users and groups D ) Create an AD in AWS and share it? it doesn't make sense because there already exists one in azure which we will use E ) Creating the corresponding permission set and attaching it to the groups that were created usually makes sense. F ) again an AD created in AWS is not necessary because it already exists in Azure and you do not want to have another one again
👍 2SkyZeroZx2023/06/28 - 正解だと思う選択肢: ACE
ACE IT!
👍 2NikkyDicky2023/07/07
シャッフルモード