SAP-C02 第 334 题
题目
A company is migrating its infrastructure to the AWS Cloud. The company must comply with a variety of regulatory standards for different projects. The company needs a multi-account environment. A solutions architect needs to prepare the baseline infrastructure. The solution must provide a consistent baseline of management and security, but it must allow flexibility for different compliance requirements within various AWS accounts. The solution also needs to integrate with the existing on-premises Active Directory Federation Services (AD FS) server. Which solution meets these requirements with the LEAST amount of operational overhead?
中文翻译:
一家公司正在将其基础设施迁移到 AWS 云。公司必须遵守针对不同项目的各种监管标准。公司需要一个多帐户环境。解决方案架构师需要准备基线基础设施。该解决方案必须提供一致的管理和安全基线,但必须能够灵活地满足各种 AWS 账户内的不同合规性要求。该解决方案还需要与现有的本地 Active Directory 联合身份验证服务 (AD FS) 服务器集成。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Create an organization in AWS Organizations. Create a single SCP for least privilege access across all accounts. Create a single OU for all accounts. Configure an IAM identity provider for federation with the on-premises AD FS server. Configure a central logging account with a defined process for log generating services to send log events to the central account. Enable AWS Config in the central account with conformance packs for all accounts.
中文翻译:
在 AWS Organizations 中创建组织。创建单个 SCP 以实现所有帐户的最低权限访问。为所有帐户创建一个 OU。配置 IAM 身份提供商以与本地 AD FS 服务器联合。使用定义的日志生成服务流程配置中央日志记录帐户,以将日志事件发送到中央帐户。在中央账户中启用 AWS Config,并为所有账户提供一致性包。
B. Create an organization in AWS Organizations. Enable AWS Control Tower on the organization. Review included controls (guardrails) for SCPs. Check AWS Config for areas that require additions. Add OUs as necessary. Connect AWS IAM Identity Center (AWS Single Sign-On) to the on-premises AD FS server.
中文翻译:
在 AWS Organizations 中创建组织。在组织上启用 AWS Control Tower。审查包括 SCP 的控制(护栏)。检查 AWS Config 是否有需要添加的区域。根据需要添加 OU。将 AWS IAM Identity Center (AWS Single Sign-On) 连接到本地 AD FS 服务器。
C. Create an organization in AWS Organizations. Create SCPs for least privilege access. Create an OU structure, and use it to group AWS accounts. Connect AWS IAM Identity Center (AWS Single Sign-On) to the on-premises AD FS server. Configure a central logging account with a defined process for log generating services to send log events to the central account. Enable AWS Config in the central account with aggregators and conformance packs.
中文翻译:
在 AWS Organizations 中创建组织。创建 SCP 以实现最低权限访问。创建 OU 结构,并使用它对 AWS 账户进行分组。将 AWS IAM Identity Center (AWS Single Sign-On) 连接到本地 AD FS 服务器。使用定义的日志生成服务流程配置中央日志记录帐户,以将日志事件发送到中央帐户。使用聚合器和一致性包在中央账户中启用 AWS Config。
D. Create an organization in AWS Organizations. Enable AWS Control Tower on the organization. Review included controls (guardrails) for SCPs. Check AWS Config for areas that require additions. Configure an IAM identity provider for federation with the on-premises AD FS server.
中文翻译:
在 AWS Organizations 中创建组织。在组织上启用 AWS Control Tower。审查包括 SCP 的控制(护栏)。检查 AWS Config 是否有需要添加的区域。配置 IAM 身份提供商以与本地 AD FS 服务器联合。
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 在 AWS Organizations 中创建组织。在组织上启用 AWS Control Tower。审查包括 SCP 的控制(护栏)。检查 AWS Config 是否有需要添加的区域。根据需要添加 OU。将 AWS IAM Identity Center (AWS Single Sign-On) 连接到本地 AD FS 服务器。 选择理由: 该选项最直接地满足题干中的关键约束。...