SAP-C02 Exam - Question 327

Question

A company orchestrates a multi-account structure on AWS by using AWS Control Tower. The company is using AWS Organizations, AWS Config, and AWS Trusted Advisor. The company has a specific OU for development accounts that developers use to experiment on AWS. The company has hundreds of developers, and each developer has an individual development account.

The company wants to optimize costs in these development accounts. Amazon EC2 instances and Amazon RDS instances in these accounts must be burstable. The company wants to disallow the use of other services that are not relevant.

What should a solutions architect recommend to meet these requirements?

Examice · Accepted Answer

To meet the requirement of allowing only burstable EC2 and RDS instances while disallowing irrelevant services in development accounts, a custom preventive control (guardrail) in AWS Control Tower is the best option. Preventive controls are meant to enforce compliance by preventing actions that do not meet specified criteria. By configuring this control to allow only burstable instances and applying it to the development OU, the company can ensure that the desired constraints are enforced in all development accounts.

edder · Answer

I don't think it's appropriate to make SCP changes from Organization to an OU managed by Control Tower, as it will cause drift.
The recommended method is to set it as Preventive.

https://docs.aws.amazon.com/controltower/latest/userguide/controls.html
https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.html

vibzr2023 · Answer

Answer C: 
AWS Control tower already using and preventive control (guardrail) is the key

BrijMohan08 · Answer

Applying the custom SCP to the development OU will enforce the restrictions on all the accounts within that OU, effectively limiting the developers to using only the allowed resources and services.

AWS Control Tower guardrails (options B and C) are not the ideal solution in this case because they are primarily used for governance and compliance purposes, rather than granular service-level restrictions.

ayadmawla · Answer

A = C
custom preventive control (guardrail) = SCP
custom detective control (guardrail) = AWS Config

https://docs.aws.amazon.com/controltower/latest/userguide/controls.html

career360guru · Answer

C is the best option. A is possible but given that customer is  using Control Tower it option A will cause a drift in landing zone.

kejam · Answer

Answer C:
I know its usually safe to choose the SCP answer, but according to the docs that would create drift with Control Tower and need to be remediated.

https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#scp-invariance-scans

adelynllllllllll · Answer

Answer : C
because A said the SCP will apply to " AWS Organizations" not the OU.

Josh1217 · Answer

Cannot be A. SCP will create drift and SCPs are used for denying any specific action, not allow as stated in option A.

ele · Answer

AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive controls using service control policies (SCPs). 
Using AWS Organizations, you can further create and attach custom SCPs that centrally control the use of AWS services and resources across multiple AWS accounts.

https://aws.amazon.com/controltower/faqs/

Dgix · Answer

Custom preventive guardrails in CT can't do this. The correct answer is A.

yog927 · Answer

Anwer is A.  "Custom SCP"
Drift is caused if you edit the existing SCP.

Don't use AWS Organizations to update service control policies (SCPs) attached to an OU that is registered with AWS Control Tower. Doing so could result in the controls entering an unknown state, which will require you to repair your landing zone or re-register your OU in AWS Control Tower. Instead, you can create new SCPs and attach those to the OUs rather than editing the SCPs that AWS Control Tower has created.
https://docs.aws.amazon.com/controltower/latest/userguide/orgs-guidance.html

TonytheTiger · Answer

Option A -  The preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations

Read " Implementation of control behavior" section  
https://docs.aws.amazon.com/controltower/latest/userguide/controls.html

GaryQian · Answer

still following the aws rule: see OU or managenet account, choose answer with SCP keyword

duriselvan · Answer

a ans 
Here's why this solution is optimal and why the other options are not as suitable:

1. Enforcement:

SCPs (Service Control Policies) are the most effective way to centrally enforce service and instance restrictions across multiple accounts within an OU.
Detective controls (guardrails) in Control Tower only detect and report violations, not prevent them.
AWS Config rules are for configuration compliance, not access control.
2. Granular Control:

SCPs allow fine-grained control over specific services and instance types, enabling the specific allowance of burstable instances and restriction of other services.
3. Ease of Management:

SCPs are managed centrally within AWS Organizations, making it efficient to apply and update policies across multiple accounts.
4. Alignment with Control Tower:

SCPs integrate seamlessly with AWS Control Tower, ensuring consistent governance within the multi-account environment.

titi_r · Answer

C - correct.

paderni · Answer

A -because SCPs are a more straightforward and integrated solution within AWS Organizations for this purpose than preventive controls in Control Tower

mns0173 · Answer

SCP and "allow" are always incompatible

SAP-C02 Exam - Question 327

Discussion