Which combination of actions using AWS services will meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
An enterprise company is building an infrastructure services platform for its users.The company has the following requirements:• Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.• Use a central account to manage the creation of infrastructure services.• Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.• Provide the ability to enforce tags on any infrastructure that is started by users.

Which combination of actions using AWS services will meet these requirements?

(Choose three.)

Develop infrastructure services using AWS CloudFormation templates. Add the templates to a central Amazon S3 bucket and add the IAM roles or users that require access to the S3 bucket policy.

Develop infrastructure services using AWS CloudFormation templates. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS account. Share these portfolios with the Organizations structure created for the company.

Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permissions. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.

Allow user IAM roles to have ServiceCatalogEndUserAccess permissions only. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints.

Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company. Apply the TagOption to AWS Service Catalog products or portfolios.

Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.

Explanations:

Uploading CloudFormation templates as Service Catalog products allows for central management. By sharing portfolios with AWS Organizations, the company can distribute these services to multiple accounts securely and centrally.

ServiceCatalogEndUserAccess ensures users have limited access to launch approved products. The automation script allows importing portfolios and applying launch constraints, ensuring least privilege access and standardized tagging.

The TagOption Library enforces required tags on Service Catalog products or portfolios, ensuring any infrastructure created through Service Catalog products follows tagging policies defined by the company.

Storing templates in an S3 bucket with IAM access does not meet the requirements for central distribution, least privilege enforcement, or tag application, making it unsuitable for centralized and secure deployment.

Granting full CloudFormation access to users violates the principle of least privilege, as users could deploy any resources they want, bypassing approval restrictions. SCPs also don’t allow fine-grained control over resources.

While Resource Tags in CloudFormation can add tags to specific resources, they cannot enforce mandatory tagging policies across all products centrally, making this option inadequate for the company’s tagging requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × one =