ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Security ControlsOrganizationsSCPSecurity

AWS SAP-C02 · Question 17 · Domain 1.2: Security Controls

A company is designing a multi-account architecture. They need to ensure that developers in 'Sandbox' accounts have administrative access, but they absolutely cannot disable AWS CloudTrail or modify AWS Config rules. Which TWO actions should the architect take? (Select TWO)

Answer options:

A.

Attach an IAM policy to the developers granting AdministratorAccess.

B.

Use AWS IAM permissions boundaries to restrict CloudTrail and Config access.

C.

Place the Sandbox accounts in a specific Organizational Unit (OU).

D.

Deploy a Lambda function to automatically re-enable CloudTrail if disabled.

E.

Apply a Service Control Policy (SCP) to the Sandbox OU denying 'cloudtrail:StopLogging' and 'config:DeleteConfigRule'.

F.

Remove AdministratorAccess from the developers.

How to approach this question

Use AWS Organizations features to enforce immutable guardrails.

Full Answer

C,E
By placing the accounts in an OU and applying an SCP, you create a preventive guardrail that even account administrators cannot bypass.

Common mistakes

Relying on IAM policies or boundaries which local admins can modify.
16All questions18

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...EasyQ02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...EasyQ03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...EasyQ04An architect needs to design a highly available database architecture that spans multiple AWS Reg...EasyQ05A global financial institution is migrating its core banking application to AWS. The application ...Medium
View all 75 questions →