Amazon Exam SCS-C01 Topic 7 Question 66 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 66
Topic #: 7

A Security Administrator is restricting the capabilities of company root user accounts. The company uses IAM Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational IAM resource purposes.

How can the Administrator restrict usage of member root user accounts across the organization?

ADisable the use of the root user account at the organizational root. Enable multi-factor authentication of the root user account for each organizational member account.

BConfigure IAM user policies to restrict root account capabilities for each Organizations member account.

CCreate an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user. Add all operational accounts to the new OU.

DConfigure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage.

Show Suggested Answer

Suggested Answer: D

For this scenario you would need to set up static website hosting because a custom domain name is listed as a requirement. 'Amazon S3 website endpoints do not support HTTPS or access points. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.' This is not secure. https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html CloudFront signed URLs allow much more fine-grained control as well as HTTPS access with custom domain names: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

by Latia at Jul 13, 2024, 03:47 AM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Cammy

8 months ago

Option B is a big no-no. Giving users direct access to the S3 bucket is a security nightmare waiting to happen.

upvoted 0 times

...

Reena

8 months ago

Haha, option D sounds like a lot of extra work. Why bother with CloudFront when you can just use the simple presigned URL approach?

upvoted 0 times

Shawnda

7 months ago

That's true, but using a presigned URL still provides a secure way to grant temporary access without the extra setup of CloudFront.

upvoted 0 times

...

Carmela

7 months ago

But what about option A? Removing access after a set time seems like a good security measure.

upvoted 0 times

...

Kathryn

7 months ago

I agree, using a presigned URL is a simple and secure solution for granting access to S3 objects.

upvoted 0 times

...

Hester

7 months ago

Yeah, I think using a presigned URL is definitely the way to go in this situation.

upvoted 0 times

...

Louvenia

7 months ago

I agree, option C seems like the easiest and most secure way to handle this.

upvoted 0 times

...

Melissa

7 months ago

Option C is definitely the easiest way to go. No need to overcomplicate things with CloudFront.

upvoted 0 times

...

Jamal

9 months ago

I think configuring read-only access with a bucket ACL and removing access after a set time is a good security measure too.

upvoted 0 times

...

Phuong

9 months ago

I believe creating an S3 presigned URL is also secure, as it limits the access to a specific time period.

upvoted 0 times

...

Eve

9 months ago

I agree with Quinn. Using CloudFront signed URL adds an extra layer of security.

upvoted 0 times

...

Christiane

9 months ago

I agree, C is the best option. Presigned URLs provide a secure way to grant temporary access without managing IAM policies.

upvoted 0 times

...

Kerrie

9 months ago

Option C seems like the most secure choice. Generating a presigned URL allows you to give temporary access without exposing the S3 bucket directly.

upvoted 0 times

Wayne

7 months ago

D) Create an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.

upvoted 0 times

...

Blondell

7 months ago

A) Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.

upvoted 0 times

...

Kelvin

8 months ago

C) Create an S3 presigned URL Provide the S3 presigned URL to the user through the application.

upvoted 0 times

...

Zita

8 months ago

D) Create an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.

upvoted 0 times

...

Virgilio

8 months ago

A) Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.

upvoted 0 times

...

Leonardo

8 months ago

C) Create an S3 presigned URL Provide the S3 presigned URL to the user through the application.

upvoted 0 times

...

Quinn

9 months ago

I think the most secure way is to create an Amazon CloudFront signed URL.

upvoted 0 times

...