AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
Comments
Loading comments...
Ultimate access to all questions.
A company operates multiple workloads across various software development units in the AWS Cloud. These units utilize AWS Organizations and SAML federation to grant developers access to manage resources within their respective AWS accounts. Each development unit deploys its production workloads into a shared production account. An incident recently transpired in this production account where a development unit's members inadvertently terminated an EC2 instance belonging to another unit. To avert such occurrences in the future and to ensure developers can still manage their assigned instances, a solutions architect needs to devise a strategy. What approach should be adopted to fulfill these objectives?
A
Establish distinct Organizational Units (OUs) within AWS Organizations for each development unit, mapping these OUs to the company's AWS accounts. Craft individual Service Control Policies (SCPs) with a deny action and a StringNotEquals condition on the DevelopmentUnit resource tag corresponding to each development unit's name, and apply these SCPs to their respective OUs.
B
Incorporate a DevelopmentUnit attribute as an AWS Security Token Service (AWS STS) session tag during SAML federation. Amend the IAM policy associated with the developers' assumed IAM roles to include a deny action and a StringNotEquals condition on both the DevelopmentUnit resource tag and the aws:PrincipalTag/DevelopmentUnit.
C
Integrate a DevelopmentUnit attribute as an AWS Security Token Service (AWS STS) session tag during SAML federation. Develop a Service Control Policy (SCP) with an allow action and a StringEquals condition on both the DevelopmentUnit resource tag and the aws:PrincipalTag/DevelopmentUnit, and attach this SCP to the root Organizational Unit (OU).
D
Designate separate IAM policies for each development unit, each containing an allow action and a StringEquals condition on the DevelopmentUnit resource tag and the development unit's name. During SAML federation, employ AWS Security Token Service (AWS STS) to link the appropriate IAM policy to the assumed IAM role, ensuring it aligns with the development unit's name.