Answer-first summary for fast verification
Answer: Create an AWS Service Catalog product from the environment template.Add a launch constraint to the product with the existing role.Give users in the QA department permission to use AWS Service Catalog APIs only.Train users to launch the template from the AWS Service Catalog console.
Creating an AWS Service Catalog product from the environment template addresses the requirement to allow testers to launch their own environments without granting them broad permissions. Here's why option B is the correct choice: 1. **AWS Service Catalog**: This service allows you to create and manage catalogs of IT services that are approved for use on AWS. By creating a product from the environment template, you encapsulate the necessary configurations and permissions within a controlled product. 2. **Launch Constraint**: Adding a launch constraint with the existing role ensures that the environments are launched with predefined permissions, maintaining control over the resource creation process. This prevents users from requiring elevated privileges themselves. 3. **Permission Limitation**: QA users are given permission to use AWS Service Catalog APIs only, which limits their ability to perform unauthorized actions on AWS resources. This meets the goal of not granting broad permissions to each user. 4. **Ease of Use**: Training users to launch the template from the AWS Service Catalog console simplifies the process, providing a user-friendly interface while ensuring compliance with security and governance policies. In summary, option B provides a structured, secure, and user-friendly approach to allow QA testers to launch environments without needing extensive permissions, thereby achieving the manager’s goals effectively.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company has an application that uses Amazon EC2 instances in an Auto Scaling group. The Quality Assurance (QA) department needs to launch a large number of short-lived environments to test the application. The application environments are currently launched by the Manager of the department using an AWS CloudFormation template. To launch the stack, the Manager uses a role with permission to use CloudFormation, EC2, and Auto Scaling APIs. The Manager wants to allow testers to launch their own environments, but does not want to grant broad permissions to each user. Which set up would achieve these goals?
A
Upload the AWS CloudFormation template to Amazon S3.Give users in the QA department permission to assume the Manager's role and add a policy that restricts the permissions to the template and the resources it creates.Train users to launch the template from the CloudFormation console.
B
Create an AWS Service Catalog product from the environment template.Add a launch constraint to the product with the existing role.Give users in the QA department permission to use AWS Service Catalog APIs only.Train users to launch the template from the AWS Service Catalog console.
C
Upload the AWS CloudFormation template to Amazon S3.Give users in the QA department permission to use CloudFormation and S3 APIs, with conditions that restrict the permissions to the template and the resources it creates.Train users to launch the template from the CloudFormation console.
D
Create an AWS Elastic Beanstalk application from the environment template.Give users in the QA department permission to use Elastic Beanstalk permissions only.Train users to launch Elastic Beanstalk CLI, passing the existing role to the environment as a service role.
No comments yet.