SAP-C02 Question #854: Real Exam Question with Answer & Explanation

Question

A company is migrating to AWS. The company created a central networking account in an organization in AWS Organizations with all features enabled. The networking account has a VPC that includes a custom firewall appliance. The company configured the inbound routes from the internet to route to the appliance. The company will set up new AWS accounts for the company's migrated services. All the new accounts will share the same new OU. Users of the new accounts will assume IAM roles that have the AdministratorAccess policy. All inbound traffic from the internet in all new accounts must be routed through the central networking account. The company needs a solution that does not deploy an internet gateway into the new accounts. The solution must not allow changes to the route tables for any public subnets. Which solution will meet these requirements?

Options

• ACreate an IAM permissions boundary that blocks access to the CreateInternetGateway action.
• BCreate an SCP that allows only the specific actions that users need in the new accounts.
• CCreate an SCP that blocks the creation and attachment of internet gateways. Assign the SCP to
• DUpdate the IAM roles with an inline policy that adds a Deny statement to block the ReplaceRoute

Explanation

Block IGW creation/attachment organization-wide with an SCP, then share the networking account’s public subnets via AWS RAM to the OU. New accounts place internet-facing resources in those shared subnets, whose route tables stay controlled in the central networking account, forcing all inbound traffic through the existing appliance - no IGWs or route changes in member

No community discussion yet for this question.