New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SAP-C02 Exam - Topic 1 Question 9 Discussion

Actual exam question for Amazon's SAP-C02 exam
Question #: 9
Topic #: 1
[All SAP-C02 Questions]

A company has 10 accounts that are part of an organization in AWS Organizations AWS Config is configured in each account All accounts belong to either the Prod OU or the NonProd OU

The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source The company's security team is subscribed to the SNS topic

For all accounts in the NonProd OU the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source

Which solution will meet this requirement with the LEAST operational overhead?

Show Suggested Answer Hide Answer
Suggested Answer: D

This solution will meet the requirement with the least operational overhead because it directly denies the creation of the security group inbound rule with 0.0.0.0/0 as the source, which is the exact requirement. Additionally, it does not require any additional steps or resources such as invoking a Lambda function or adding a Config rule.

An SCP (Service Control Policy) is a policy that you can use to set fine-grained permissions for your AWS accounts within your organization. You can use SCPs to set permissions for the root user of an account and to delegate permissions to IAM users and roles in the accounts. You can use SCPs to set permissions that allow or deny access to specific services, actions, and resources.

To implement this solution, you would need to create an SCP that denies the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. This SCP would then be applied to the NonProd OU. This would ensure that any security group inbound rule that includes 0.0.0.0/0 as the source will be denied, thus meeting the requirement.


https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_condition-keys.html

by Alaine at Mar 01, 2023, 12:58 PM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Viola
4 months ago
Totally agree with D, it’s straightforward and effective!
upvoted 0 times
...
Thaddeus
4 months ago
A is too complicated for what we need.
upvoted 0 times
...
Tyra
4 months ago
Wait, can we really just use an SCP for this?
upvoted 0 times
...
Justine
4 months ago
I think D is the best choice for security.
upvoted 0 times
...
Mirta
4 months ago
Option B seems like the easiest fix.
upvoted 0 times
...
Tori
5 months ago
I keep getting confused between modifying EventBridge rules and using SCPs. I feel like option A might add more overhead, so I’m leaning towards D for simplicity.
upvoted 0 times
...
Raina
5 months ago
I practiced a similar question about security group rules and SCPs. I think option C could work too, but it seems more complex than just denying the action outright.
upvoted 0 times
...
Felix
5 months ago
I'm not entirely sure, but I feel like using AWS Config rules could help. Option B sounds familiar, but I wonder if it actually prevents the creation of those rules effectively.
upvoted 0 times
...
Shawn
5 months ago
I remember studying about Service Control Policies (SCPs) and how they can restrict actions across accounts. I think option D might be the right choice since it directly denies the action for 0.0.0.0/0.
upvoted 0 times
...
Floyd
5 months ago
This seems like a straightforward question about business functions. I'll need to think carefully about the key responsibilities of each function type.
upvoted 0 times
...
Socorro
5 months ago
I'm a bit stumped on this one. Enabling ARR doesn't seem to address the specific requirements we have for session state and HTTP response storage. I'll need to review the problem statement again and see if I can come up with a better solution.
upvoted 0 times
...
Ashton
5 months ago
Hmm, I'm a bit unsure. Isn't there a difference between convenience and shopping products? I remember discussing that in class.
upvoted 0 times
...

Save Cancel