nerdexam
ExamsSAP-C02Questions#650
AmazonAmazon

SAP-C02 · Question #650

SAP-C02 Question #650: Real Exam Question with Answer & Explanation

The correct answer is A: Create separate OUs in AWS Organizations for each development unit. Assign the created OUs. The company needs to prevent developers from one unit from managing resources belonging to other units within a shared production account, while still allowing them to manage their own resources.

Submitted by deeparc· Mar 6, 2026Design Solutions for Organizational Complexity

Question

A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts. The development units each deploy their production workloads into a common production account. Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads. Which strategy will meet these requirements?

Options

  • ACreate separate OUs in AWS Organizations for each development unit. Assign the created OUs
  • BPass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session
  • CPass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session
  • DCreate separate IAM policies for each development unit. For every IAM policy, add an allow

Explanation

The company needs to prevent developers from one unit from managing resources belonging to other units within a shared production account, while still allowing them to manage their own resources.

Common mistakes.

  • B. Passing DevelopmentUnit as an AWS STS session tag enables attribute-based access control (ABAC) but is insufficient alone, as existing broad IAM policies might still permit cross-unit actions without consistent enforcement of resource tagging.
  • C. While AWS STS session tags are for ABAC, the example policy grants ec2:* permissions without specific conditions, which would still allow developers to manage all EC2 instances, regardless of unit.
  • D. Creating separate IAM policies for each development unit with specific resource ARNs is unscalable and difficult to maintain for dynamically created resources like EC2 instances, as new instances would require constant policy updates.

Concept tested. AWS Organizations SCPs for resource isolation

Reference. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions