Amazon Exam SOA-C02 Topic 1 Question 109 Discussion

Actual exam question for Amazon's SOA-C02 exam

Question #: 109
Topic #: 1

A company uses AWS Organizations to manage multiple AWS accounts. Corporate policy mandates that only specific AWS Regions can be used to store and process customer dat

a. A SysOps administrator must prevent the provisioning of Amazon EC2 instances in unauthorized Regions by anyone in the company.

What is the MOST operationally efficient solution that meets these requirements?

AConfigure AWS CloudTrail in all Regions to record all API activity Create an Amazon EventBridge rule in all unauthorized Regions for ec2:Runlnstances events. Use AWS Lambda to terminate the launched EC2 instances.

BIn each AWS account, create a managed 1AM policy that uses a Region condition to deny the ec2:Runlnstances action in all unauthorized Regions. Attach this policy to all 1AM groups in each AWS account.

CIn each AWS account, create an 1AM permissions boundary policy that uses a Region condition to deny the ec2:Runlnstances action in all unauthorized Regions. Attach the permissions boundary policy to all 1AM users in each AWS account.

DCreate a service control policy (SCP) in AWS Organizations to deny the ec2:Runlnstances action in all unauthorized Regions. Attach this policy to the root level of the organization.

Show Suggested Answer

Suggested Answer: D

Objective:

Enforce corporate policy to prevent the creation of EC2 instances in unauthorized AWS Regions.

Using Service Control Policies (SCPs):

SCPs are an AWS Organizations feature that allow centralized control over permissions for all accounts in the organization.

By attaching an SCP to the root level of the organization, you can enforce the restriction across all accounts.

Solution Implementation:

Step 1: Open the AWS Organizations console.

Step 2: Create a new SCP with the following policy:

{

'Version': '2012-10-17',

'Statement': [

{

'Effect': 'Deny',

'Action': 'ec2:RunInstances',

'Resource': '*',

'Condition': {

'StringNotEquals': {

'aws:RequestedRegion': [

'us-east-1',

'us-west-2'

]

}

]

}

Replace 'us-east-1' and 'us-west-2' with the allowed Regions.

Step 3: Attach the SCP to the root level of the organization.

AWS Reference:

Service Control Policies (SCPs): SCP Best Practices

Restricting EC2 Regions with SCP: SCP Examples

Why Other Options Are Incorrect:

Option A: CloudTrail and EventBridge with Lambda are operationally less efficient and reactive rather than preventative.

Option B: IAM policies applied at the account level require manual configuration for each account, which is less efficient.

Option C: Permissions boundaries are more suited for controlling specific IAM user or role actions, not account-wide restrictions.

Topic 2, Simulation

by Tijuana at Jan 11, 2025, 04:03 AM

Limited Time Offer

25%

Off

Get Premium SOA-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!