SAP-C02 第 31 题
题目
An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team’s policy indicates that developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement. The procurement team wants administration of Private Marketplace to be restricted to a role named procurement- manager-role, which could be assumed by procurement managers. Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access. What is the MOST efficient way to design an architecture to meet these requirements?
中文翻译:
一家企业公司希望允许其开发人员通过 AWS Marketplace 购买第三方软件。该公司使用启用了全部功能的 AWS Organizations 账户结构,并在每个组织单位 (OU) 中拥有一个供采购经理使用的共享服务账户。采购团队的政策表明,开发人员应该只能从批准的列表中获取第三方软件,并使用 AWS Marketplace 中的 Private Marketplace 来实现此要求。采购团队希望私人市场的管理仅限于名为采购经理角色的角色,该角色可由采购经理承担。公司中的其他 IAM 用户、组、角色和账户管理员应被拒绝 Private Marketplace 管理访问权限。设计架构以满足这些要求的最有效方法是什么?
选项
A. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
中文翻译:
在组织中的所有 AWS 账户中创建名为采购经理角色的 IAM 角色。将 PowerUserAccess 托管策略添加到角色。将内联策略应用于每个 AWS 账户中的所有 IAM 用户和角色,以拒绝对 AWSPrivateMarketplaceAdminFullAccess 托管策略的权限。
B. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
中文翻译:
在组织中的所有 AWS 账户中创建名为采购经理角色的 IAM 角色。将 AdministratorAccess 托管策略添加到角色。使用 AWSPrivateMarketplaceAdminFullAccess 托管策略定义权限边界并将其附加到所有开发人员角色。
C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
中文翻译:
在组织中的所有共享服务账户中创建名为采购经理角色的 IAM 角色。将 AWSPrivateMarketplaceAdminFullAccess 托管策略添加到该角色。创建组织根级 SCP,以拒绝除名为采购经理角色的角色之外的所有人的管理私有市场的权限。创建另一个组织根级 SCP 以拒绝向组织中的每个人创建名为采购经理角色的 IAM 角色的权限。
D. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.
中文翻译:
在开发人员将使用的所有 AWS 账户中创建名为采购经理角色的 IAM 角色。将 AWSPrivateMarketplaceAdminFullAccess 托管策略添加到该角色。在组织中创建 SCP,以拒绝除名为采购经理角色的角色之外的所有人的管理私有市场的权限。将 SCP 应用到组织中的所有共享服务帐户。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 在组织中的所有共享服务账户中创建名为采购经理角色的 IAM 角色。将 AWSPrivateMarketplaceAdminFullAccess 托管策略添加到该角色。创建组织根级 SCP,以拒绝除名为采购经理角色的角色之外的所有人的管理私有市场的权限。创建另一个组织根级 SCP 以拒绝向组织中的每个人创建名为采购经理角色的 IAM 角色的权限。 选择理由: 该选项最直接地满足题干...