Examice

Exam SAP-C02 All QuestionsBrowse all questions from this exam

Question 327

A company orchestrates a multi-account structure on AWS by using AWS Control Tower. The company is using AWS Organizations, AWS Config, and AWS Trusted Advisor. The company has a specific OU for development accounts that developers use to experiment on AWS. The company has hundreds of developers, and each developer has an individual development account.

The company wants to optimize costs in these development accounts. Amazon EC2 instances and Amazon RDS instances in these accounts must be burstable. The company wants to disallow the use of other services that are not relevant.

What should a solutions architect recommend to meet these requirements?

Create a custom SCP in AWS Organizations to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the SCP to the development OU.

Create a custom detective control (guardrail) in AWS Control Tower. Configure the control (guardrail) to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the control (guardrail) to the development OU.

Create a custom preventive control (guardrail) in AWS Control Tower. Configure the control (guardrail) to allow the deployment of only burstable instances and to disallow services that are not relevant. Apply the control (guardrail) to the development OU.

Create an AWS Config rule in the AWS Control Tower account. Configure the AWS Config rule to allow the deployment of only burstable instances and to disallow services that are not relevant. Deploy the AWS Config rule to the development OU by using AWS CloudFormation StackSets.

Correct Answer: C

To meet the requirement of allowing only burstable EC2 and RDS instances while disallowing irrelevant services in development accounts, a custom preventive control (guardrail) in AWS Control Tower is the best option. Preventive controls are meant to enforce compliance by preventing actions that do not meet specified criteria. By configuring this control to allow only burstable instances and applying it to the development OU, the company can ensure that the desired constraints are enforced in all development accounts.

Discussion

BrijMohan08Option: A

Applying the custom SCP to the development OU will enforce the restrictions on all the accounts within that OU, effectively limiting the developers to using only the allowed resources and services. AWS Control Tower guardrails (options B and C) are not the ideal solution in this case because they are primarily used for governance and compliance purposes, rather than granular service-level restrictions.

vibzr2023

Answer C: AWS Control tower already using and preventive control (guardrail) is the key

edderOption: C

I don't think it's appropriate to make SCP changes from Organization to an OU managed by Control Tower, as it will cause drift. The recommended method is to set it as Preventive. https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.html

Josh1217Option: C

Cannot be A. SCP will create drift and SCPs are used for denying any specific action, not allow as stated in option A.

adelynllllllllll

Answer : C because A said the SCP will apply to " AWS Organizations" not the OU.

kejamOption: C

Answer C: I know its usually safe to choose the SCP answer, but according to the docs that would create drift with Control Tower and need to be remediated. https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#scp-invariance-scans

career360guruOption: C

C is the best option. A is possible but given that customer is using Control Tower it option A will cause a drift in landing zone.

ayadmawla

A = C custom preventive control (guardrail) = SCP custom detective control (guardrail) = AWS Config https://docs.aws.amazon.com/controltower/latest/userguide/controls.html

ayadmawla

Q: How does AWS Control Tower interoperate with AWS Organizations? AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive controls using service control policies (SCPs). Using AWS Organizations, you can further create and attach custom SCPs that centrally control the use of AWS services and resources across multiple AWS accounts. https://aws.amazon.com/controltower/faqs/

TonytheTigerOption: A

Option A - The preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations Read " Implementation of control behavior" section https://docs.aws.amazon.com/controltower/latest/userguide/controls.html

yog927Option: A

Anwer is A. "Custom SCP" Drift is caused if you edit the existing SCP. Don't use AWS Organizations to update service control policies (SCPs) attached to an OU that is registered with AWS Control Tower. Doing so could result in the controls entering an unknown state, which will require you to repair your landing zone or re-register your OU in AWS Control Tower. Instead, you can create new SCPs and attach those to the OUs rather than editing the SCPs that AWS Control Tower has created. https://docs.aws.amazon.com/controltower/latest/userguide/orgs-guidance.html

DgixOption: A

Custom preventive guardrails in CT can't do this. The correct answer is A.

eleOption: A

AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive controls using service control policies (SCPs). Using AWS Organizations, you can further create and attach custom SCPs that centrally control the use of AWS services and resources across multiple AWS accounts. https://aws.amazon.com/controltower/faqs/

ele

A is right: https://docs.aws.amazon.com/controltower/latest/userguide/orgs-guidance.html Don't use AWS Organizations to update service control policies (SCPs) attached to an OU that is registered with AWS Control Tower. Doing so could result in the controls entering an unknown state, which will require you to repair your landing zone or re-register your OU in AWS Control Tower. Instead, you can create new SCPs and attach those to the OUs rather than editing the SCPs that AWS Control Tower has created.

mns0173

SCP and "allow" are always incompatible

paderni

A -because SCPs are a more straightforward and integrated solution within AWS Organizations for this purpose than preventive controls in Control Tower

titi_rOption: C

C - correct.

duriselvan

a ans Here's why this solution is optimal and why the other options are not as suitable: 1. Enforcement: SCPs (Service Control Policies) are the most effective way to centrally enforce service and instance restrictions across multiple accounts within an OU. Detective controls (guardrails) in Control Tower only detect and report violations, not prevent them. AWS Config rules are for configuration compliance, not access control. 2. Granular Control: SCPs allow fine-grained control over specific services and instance types, enabling the specific allowance of burstable instances and restriction of other services. 3. Ease of Management: SCPs are managed centrally within AWS Organizations, making it efficient to apply and update policies across multiple accounts. 4. Alignment with Control Tower: SCPs integrate seamlessly with AWS Control Tower, ensuring consistent governance within the multi-account environment.

GaryQian

still following the aws rule: see OU or managenet account, choose answer with SCP keyword