SAP-C02 · Question #651
SAP-C02 Question #651: Real Exam Question with Answer & Explanation
The correct answer is B: Develop infrastructure services using AWS CloudFormation templates. Upload each template as. The company needs to build a self-service infrastructure platform with least privilege, central management, multi-account distribution, and enforced tagging for user-provisioned resources.
Question
An enterprise company is building an infrastructure services platform for its users. The company has the following requirements: - Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services. - Use a central account to manage the creation of infrastructure services. - Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations. - Provide the ability to enforce tags on any infrastructure that is started by users. Which combination of actions using AWS services will meet these requirements? (Choose three.)
Options
- ADevelop infrastructure services using AWS CloudFormation templates. Add the templates to a
- BDevelop infrastructure services using AWS CloudFormation templates. Upload each template as
- CAllow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess
- DAllow user IAM roles to have ServiceCatalogEndUserAccess permissions only. Use an
- EUse the AWS Service Catalog TagOption Library to maintain a list of tags required by the
- FUse the AWS CloudFormation Resource Tags property to enforce the application of tags to any
Explanation
The company needs to build a self-service infrastructure platform with least privilege, central management, multi-account distribution, and enforced tagging for user-provisioned resources.
Common mistakes.
- A. Storing CloudFormation templates in S3 with event notifications would require building custom service catalog functionality, which AWS Service Catalog provides as a managed service.
- C. Granting
AWSCloudFormationFullAccessviolates the least privilege principle, allowing users to provision any service via CloudFormation, not just approved ones. - F. While CloudFormation's
Resource Tagsproperty enforces tags within a template, it does not provide a centralized, library-based tag management and enforcement solution like the Service Catalog TagOption Library.
Concept tested. AWS Service Catalog for governed infrastructure provisioning
Reference. https://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is-servicecatalog.html
Community Discussion
No community discussion yet for this question.