Topic 1 Question 373
3 つ選択A company is using multiple AWS accounts and has multiple DevOps teams running production and non-production workloads in these accounts. The company would like to centrally-restrict access to some of the AWS services that the DevOps teams do not use. The company decided to use AWS Organizations and successfully invited all AWS accounts into the Organization. They would like to allow access to services that are currently in-use and deny a few specific services. Also they would like to administer multiple accounts together as a single unit.
What combination of steps should the solutions architect take to satisfy these requirements?
Use a Deny list strategy.
Review the Access Advisor in AWS IAM to determine services recently used
Review the AWS Trusted Advisor report to determine services recently used.
Remove the default FullAWSAccess SCP.
Define organizational units (OUs) and place the member accounts in the OUs.
Remove the default DenyAWSAccess SCP.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: ABE
ABE is the answer: A: This approach involves explicitly denying access to specific AWS services that the company wants to restrict. It allows all other services to be accessible, which aligns with the company's requirement to allow services that are currently in use.
B: AWS IAM Access Advisor shows the service permissions granted to a user and when those services were last accessed. This information is valuable to understand which AWS services are actively used and which are not, helping to make informed decisions about which services to restrict.
E: Organizational Units allow for grouping AWS accounts that have similar needs or requirements. This structure enables the solutions architect to apply policies at the OU level, making it easier to manage permissions and restrictions across multiple accounts.
👍 4heatblur2023/11/30 - 正解だと思う選択肢: ABE
Agreed E+B+A in that order :)
👍 2ayadmawla2023/12/10 - 正解だと思う選択肢: ABE
ABE for sure
👍 1devalenzuela862023/11/22
シャッフルモード