DOP-C02 · Question #467
DOP-C02 Question #467: Real Exam Question with Answer & Explanation
The correct answer is D: Use SCPs to restrict Regions/services and StackSets for IAM roles with trust to AD.. Apply SCPs for Region and service restriction. Use CloudFormation StackSets to consistently deploy IAM roles with trust policies for SSO/AD integration. This model enforces governance uniformly across all accounts per AWS multi-account best practices.
Question
A company wants governance where only specific Regions and services can be used, with centralized AD authentication and job-function-based roles. Which solution meets these requirements?
Options
- AUse OUs with group policies and StackSets for IAM roles.
- BUse permission boundaries and StackSets.
- CUse SCPs to restrict Regions/services and Resource Access Manager to share roles.
- DUse SCPs to restrict Regions/services and StackSets for IAM roles with trust to AD.
Explanation
Apply SCPs for Region and service restriction. Use CloudFormation StackSets to consistently deploy IAM roles with trust policies for SSO/AD integration. This model enforces governance uniformly across all accounts per AWS multi-account best practices.
Topics
Community Discussion
No community discussion yet for this question.