nerdexam
ExamsSAP-C02Questions#787
AmazonAmazon

SAP-C02 · Question #787

SAP-C02 Question #787: Real Exam Question with Answer & Explanation

The correct answer is D: Use AWS Resource Access Manager (AWS RAM) in the IT account to enable sharing in the. Developer teams in various AWS accounts need to issue certificates from a central AWS Private CA managed by the IT department, while maintaining secure access boundaries.

Submitted by rania.sa· Mar 6, 2026Design Solutions for Organizational Complexity

Question

A company has separate AWS accounts for each of its departments. The accounts are in OUs that are in an organization in AWS Organizations. The IT department manages a private certificate authority (CA) by using AWS Private Certificate Authority in its account. The company needs a solution to allow developer teams in the other departmental accounts to access the private CA to issue certificates for their applications. The solution must maintain appropriate security boundaries between accounts. Which solution will meet these requirements?

Options

  • ACreate an AWS Lambda function in the IT account. Program the Lambda function to use the AWS
  • BCreate an IAM identity-based policy that allows cross-account access to AWS Private CA. In the
  • CIn the organization's management account, create an AWS CloudFormation stack to set up a
  • DUse AWS Resource Access Manager (AWS RAM) in the IT account to enable sharing in the

Explanation

Developer teams in various AWS accounts need to issue certificates from a central AWS Private CA managed by the IT department, while maintaining secure access boundaries.

Common mistakes.

  • A. Using a Lambda function to mediate certificate issuance would introduce unnecessary complexity, operational overhead, and potential performance bottlenecks compared to direct sharing mechanisms.
  • B. An IAM identity-based policy allows principals within the IT account to access the CA, but doesn't inherently facilitate secure cross-account sharing of the CA resource itself to other accounts' principals without using RAM.
  • C. Creating a CloudFormation stack in the management account might be used to deploy resources, but it's not the primary or most direct mechanism for sharing an existing Private CA resource across accounts securely within an organization.

Concept tested. Cross-account resource sharing with AWS RAM

Reference. https://docs.aws.amazon.com/acm-pca/latest/userguide/share-pca.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions