ExpertAWS SAP-C02 · Question 02 · Domain 1.2: Security Controls
A company uses AWS Organizations to manage multiple accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers need the ability to manage their own IAM roles, but must not be able to bypass these security controls. Which combination of actions should the Solutions Architect take? (Select TWO)
A company uses AWS Organizations to manage multiple accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers need the ability to manage their own IAM roles, but must not be able to bypass these security controls. Which combination of actions should the Solutions Architect take? (Select TWO)
Answer options:
Create a Service Control Policy (SCP) that denies the s3:PutBucketPublicAccessBlock action and attach it to the root of the organization.
Create an SCP that denies the ec2:CreateVolume action if the encrypted flag is false and attach it to the root.
Use AWS IAM permissions boundaries on all developer roles to deny S3 public access and enforce EBS encryption.
Enable AWS Config rules in the management account to automatically terminate unencrypted EBS volumes.
Create an IAM policy denying S3 public access and attach it to the AWS Organizations management account.
Use AWS CloudTrail to monitor for unencrypted volumes and trigger a Lambda function to encrypt them.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5
75 questions · hints · full answers · grading