ExpertHard1 markMultiple Choice
AWS SAP-C02 · Question 52 · Domain 3.2: Security Improvement
A company wants to enforce strict data perimeter controls. They want to ensure that IAM principals in their AWS Organization can only access AWS resources from within their corporate network or their VPCs. Which TWO mechanisms should be used together to achieve this? (Select TWO)
A company wants to enforce strict data perimeter controls. They want to ensure that IAM principals in their AWS Organization can only access AWS resources from within their corporate network or their VPCs. Which TWO mechanisms should be used together to achieve this? (Select TWO)
Answer options:
A.
AWS WAF IP rate limiting rules.
B.
VPC Security Groups.
C.
Service Control Policies (SCPs).
D.
AWS Network Firewall.
E.
IAM condition keys (aws:SourceIp and aws:SourceVpc).
F.
AWS Shield Advanced.
How to approach this question
Identify the policy type and the condition keys used for network perimeters.
Full Answer
C, E
To establish a data perimeter, you use Service Control Policies (SCPs) applied at the Organization level. Within these SCPs, you use IAM condition keys like aws:SourceIp and aws:SourceVpc to deny access if the request doesn't originate from approved networks.
Common mistakes
Thinking Security Groups control AWS API access.
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6
75 questions · hints · full answers · grading
More questions from this exam
Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...HardQ02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...HardQ03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...MediumQ04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...HardQ05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium