Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam ANS-C01 Topic 4 Question 44 Discussion

Actual exam question for Amazon's ANS-C01 exam
Question #: 44
Topic #: 4
[All ANS-C01 Questions]

A company has AWS accounts in an organization in AWS Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM)in its networking AWS account. The company is using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other AWS accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each AWS account, the company has created an IPAM pool within the top-level pool.

A network engineer needs to implement a solution to ensure that users in each AWS account cannot create new VPCs. The solution also must prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: B

Contribute your Thoughts:

Mammie
2 months ago
I wonder if the exam writer had to come up with a way to make 'lpv4lpamPoolld' sound like a real thing. Gotta love those AWS acronyms!
upvoted 0 times
Alva
1 months ago
B: D) Create an Amazon EventBridge rule to check for AWS CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an AWS Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.
upvoted 0 times
...
William
1 months ago
A: B) Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the lpv4lpamPoolld context key value is not the ID of an IPAM pool.
upvoted 0 times
...
...
Amber
2 months ago
Who else read this question and immediately thought, 'Oh, this is gonna be good. Time to break out the popcorn!'
upvoted 0 times
...
Dante
2 months ago
I think option D is a bit overkill. Why use an EventBridge rule and a Lambda function when an SCP can do the job just as well?
upvoted 0 times
Nidia
2 months ago
But option B with SCP seems simpler and more straightforward to implement for restricting VPC creation and CIDR block association.
upvoted 0 times
...
Lauran
2 months ago
Option D is more comprehensive and ensures real-time monitoring of VPC creation and CIDR block association.
upvoted 0 times
...
...
Marge
2 months ago
I'm not sure. Option D also seems like a viable solution to me.
upvoted 0 times
...
Ocie
2 months ago
I like how option B uses the IPAM pool ID as the condition. That's a clever way to ensure the CIDR blocks are from the right pool.
upvoted 0 times
Samira
2 months ago
User 3: Option D could also work by checking CloudTrail events, but Option B seems more straightforward.
upvoted 0 times
...
Tish
2 months ago
User 2: I agree, using the IPAM pool ID as a condition is a smart way to enforce the rules.
upvoted 0 times
...
Cortney
2 months ago
User 1: Option B seems like the best choice to restrict VPC creation and CIDR block association.
upvoted 0 times
...
...
Felice
3 months ago
B is the correct answer. Using an SCP to deny these actions is the most straightforward way to implement this solution.
upvoted 0 times
Haley
2 months ago
Definitely, implementing restrictions at the SCP level is a good security measure.
upvoted 0 times
...
Serina
2 months ago
It's important to ensure users can only use CIDR blocks from the IPAM pool.
upvoted 0 times
...
Chun
2 months ago
Agreed, using an SCP to deny those actions is the best approach.
upvoted 0 times
...
Bette
2 months ago
I think B is the correct answer.
upvoted 0 times
...
...
Frederica
3 months ago
I agree with Tayna. Option B seems to be the most efficient way to prevent users from creating new VPCs.
upvoted 0 times
...
Tayna
3 months ago
I think option B is the best solution.
upvoted 0 times
...

Save Cancel