SAP-C02 第 351 题
题目
A company has a project that is launching Amazon EC2 instances that are larger than required. The project's account cannot be part of the company's organization in AWS Organizations due to policy restrictions to keep this activity outside of corporate IT. The company wants to allow only the launch of t3.small EC2 instances by developers in the project's account. These EC2 instances must be restricted to the us-east-2 Region. What should a solutions architect do to meet these requirements?
中文翻译:
一家公司的一个项目正在启动大于所需的 Amazon EC2 实例。由于政策限制,该项目的账户不能成为 AWS Organizations 中公司组织的一部分,以将此活动保留在公司 IT 之外。该公司希望仅允许开发人员在项目帐户中启动 t3.small EC2 实例。这些 EC2 实例必须限制在 us-east-2 区域。解决方案架构师应该怎样做才能满足这些要求?
选项
A. Create a new developer account. Move all EC2 instances, users, and assets into us-east-2. Add the account to the company's organization in AWS Organizations. Enforce a tagging policy that denotes Region affinity.
中文翻译:
创建一个新的开发者帐户。将所有 EC2 实例、用户和资产移至 us-east-2。将账户添加到 AWS Organizations 中的公司组织。实施表示区域关联性的标记策略。
B. Create an SCP that denies the launch of all EC2 instances except t3.small EC2 instances in us-east-2. Attach the SCP to the project's account.
中文翻译:
创建一个 SCP,拒绝启动 us-east-2 中除 t3.small EC2 实例之外的所有 EC2 实例。将 SCP 附加到项目的帐户。
C. Create and purchase a t3.small EC2 Reserved Instance for each developer in us-east-2. Assign each developer a specific EC2 instance with their name as the tag.
中文翻译:
为 us-east-2 中的每个开发人员创建并购买一个 t3.small EC2 预留实例。为每个开发人员分配一个特定的 EC2 实例,并以其名称作为标签。
D. Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project's account.
中文翻译:
创建一个 IAM 策略,仅允许在 us-east-2 中启动 t3.small EC2 实例。将策略附加到开发人员在项目帐户中使用的角色和组。
答案
D
解析
正确答案:D 解析: 本题应选择 D。 正确选项: D. 创建一个 IAM 策略,仅允许在 us-east-2 中启动 t3.small EC2 实例。将策略附加到开发人员在项目帐户中使用的角色和组。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:EC2、IAM、Or...