Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SAP-C02 Topic 1 Question 19 Discussion

Actual exam question for Amazon's SAP-C02 exam
Question #: 19
Topic #: 1
[All SAP-C02 Questions]

An enterprise company is building an infrastructure services platform for its users. The company has the following requirements:

Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.

Use a central account to manage the creation of infrastructure services.

Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.

Provide the ability to enforce tags on any infrastructure that is started by users.

Which combination of actions using AWS services will meet these requirements? (Choose three.)

Show Suggested Answer Hide Answer
Suggested Answer: B, D, E

Developing infrastructure services using AWS CloudFormation templates and uploading them as AWS Service Catalog products to portfolios created in a central AWS account will enable the company to centrally manage the creation of infrastructure services and control who can use them1.AWS Service Catalog allows you to create and manage catalogs of IT services that are approved for use on AWS2.You can organize products into portfolios, which are collections of products along with configuration information3.You can share portfolios with other accounts in your organization using AWS Organizations4.

Allowing user IAM roles to have ServiceCatalogEndUserAccess permissions only and using an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints will enable the company to provide least privilege access to users when launching AWS infrastructure services. ServiceCatalogEndUserAccess is a managed IAM policy that grants users permission to list and view products and launch product instances. An automation script can help import the shared portfolios from the central account to the local accounts, copy the TagOption from the central account, assign users access to the portfolios, and apply launch constraints that specify which IAM role or user can provision a product.

Using the AWS Service Catalog TagOption Library to maintain a list of tags required by the company and applying the TagOption to AWS Service Catalog products or portfolios will enable the company to enforce tags on any infrastructure that is started by users. TagOptions are key-value pairs that you can use to classify your AWS Service Catalog resources. You can create a TagOption Library that contains all the tags that you want to use across your organization. You can apply TagOptions to products or portfolios, and they will be automatically applied to any provisioned product instances.


Creating a product from an existing CloudFormation template

What is AWS Service Catalog?

Working with portfolios

Sharing a portfolio with AWS Organizations

[Providing least privilege access for users]

[AWS managed policies for job functions]

[Importing shared portfolios]

[Enforcing tag policies]

[Working with TagOptions]

[Creating a TagOption Library]

[Applying TagOptions]

Contribute your Thoughts:

Fidelia
8 months ago
Yup, nailed it. I'd say B, D, and E/F are the way to go. Covers all the bases and gives the users just the right level of access and control.
upvoted 0 times
...
Leonie
8 months ago
Exactly. And the ability to share those portfolios across the Org is key - that way you can ensure consistency and compliance across all the different teams and accounts.
upvoted 0 times
...
Alyce
8 months ago
Definitely. Plus, with Service Catalog, you get that central control and governance over the approved infrastructure services. Much cleaner than trying to lock things down at the account level.
upvoted 0 times
...
Marla
8 months ago
Haha, yeah, C is a bit of a 'nuclear option' isn't it? Probably better to go with the more surgical approach of using Service Catalog and tailored permissions.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77