SAP-C02 第 385 题
题目
A company is running multiple workloads in the AWS Cloud. The company has separate units for software development. The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts. The development units each deploy their production workloads into a common production account. Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must allow developers the possibility to manage the instances used for their workloads. Which strategy will meet these requirements?
中文翻译:
一家公司在 AWS 云中运行多个工作负载。该公司拥有独立的软件开发部门。该公司使用 AWS Organizations 和 SAML 联合来向开发人员授予管理其 AWS 账户中资源的权限。每个开发单元将其生产工作负载部署到一个公共生产帐户中。 Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit.解决方案架构师必须创建一个解决方案,以防止将来发生类似事件。该解决方案还必须允许开发人员能够管理用于其工作负载的实例。哪种策略可以满足这些要求?
选项
A. Create separate OUs in AWS Organizations for each development unit. Assign the created OUs to the company AWS accounts. Create separate SCP with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag that matches the development unit name. Assign the SCP to the corresponding OU.
中文翻译:
在 AWS Organizations 中为每个开发单元创建单独的 OU。将创建的 OU 分配给公司 AWS 账户。 Create separate SCP with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag that matches the development unit name.将 SCP 分配给相应的 OU。
B. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Update the IAM policy for the developers’ assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. aws:PrincipalTag/DevelopmentUnit。
中文翻译:
在 SAML 联合期间将 DevelopmentUnit 的属性作为 AWS Security Token Service (AWS STS) 会话标签传递。 Update the IAM policy for the developers’ assumed IAM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. aws:PrincipalTag/DevelopmentUnit。
C. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation. Create an SCP with an allow action and a StringEquals condition for the DevelopmentUnit resource tag and aws:PrincipalTag/DevelopmentUnit. Assign the SCP to the root OU.
中文翻译:
在 SAML 联合期间将 DevelopmentUnit 的属性作为 AWS Security Token Service (AWS STS) 会话标签传递。为 DevelopmentUnit 资源标签和 aws:PrincipalTag/DevelopmentUnit 创建一个具有允许操作和 StringEquals 条件的 SCP。将 SCP 分配给根 OU。
D. Create separate IAM policies for each development unit. For every IAM policy, add an allow action and a StringEquals condition for the DevelopmentUnit resource tag and the development unit name. During SAML federation, use AWS Security Token Service (AWS STS) to assign the IAM policy and match the development unit name to the assumed IAM role.
中文翻译:
为每个开发单元创建单独的 IAM 策略。对于每个 IAM 策略,为 DevelopmentUnit 资源标签和开发单元名称添加允许操作和 StringEquals 条件。 During SAML federation, use AWS Security Token Service (AWS STS) to assign the IAM policy and match the development unit name to the assumed IAM role.
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 在 SAML 联合期间将 DevelopmentUnit 的属性作为 AWS Security Token Service (AWS STS) 会话标签传递。 Update the IAM policy for the developers’ assumed IAM role with a deny action and a StringNotEquals condition f...