SAP-C02 Question #176: Real Exam Question with Answer & Explanation

Question

A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers lo manage resources m their AWS accounts. The development units each deploy their production workloads into a common production account. Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create u solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads. Which strategy will meet these requirements?

Options

• ACreate separate OUs in AWS Organizations for each development unit.
• BPass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session
• CPass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session
• DCreate separate IAM policies for each development unit.

Explanation

A - Does not make much sense. An account can only belong to one OU. This is a single production account so it can't be in multiple OUs. B - Session tag is used to identify which business unit a user is part of. IAM policy prevent them from modifying resources for any business unit but their own. C - This does not restrict any existing permissions so users can still modify resources from different business units. D - STS cannot be used to assign a policy to an IAM role. A policy has to be assigned to the role before authentication occurs. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html

No community discussion yet for this question.