SAP-C02 第 386 题
题目
An enterprise company is building an infrastructure services platform for its users. The company has the following requirements: • Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services. • Use a central account to manage the creation of infrastructure services. • Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations. • Provide the ability to enforce tags on any infrastructure that is started by users. Which combination of actions using AWS services will meet these requirements? (Choose three.)
中文翻译:
一家企业公司正在为其用户构建基础设施服务平台。 The company has the following requirements: • Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services. • 使用中央帐户来管理基础设施服务的创建。 • 提供将基础设施服务分发到AWS Organizations 中的多个账户的能力。 • 提供在用户启动的任何基础设施上强制执行标签的能力。使用 AWS 服务的哪种操作组合可以满足这些要求? (选择三项。)
选项
A. Develop infrastructure services using AWS CloudFormation templates. Add the templates to a central Amazon S3 bucket and add the IAM roles or users that require access to the S3 bucket policy.
中文翻译:
使用 AWS CloudFormation 模板开发基础设施服务。将模板添加到中央 Amazon S3 存储桶,并添加需要访问 S3 存储桶策略的 IAM 角色或用户。
B. Develop infrastructure services using AWS CloudFormation templates. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS account. Share these portfolios with the Organizations structure created for the company.
中文翻译:
使用 AWS CloudFormation 模板开发基础设施服务。将每个模板作为 AWS Service Catalog 产品上传到在中央 AWS 账户中创建的产品组合。与为公司创建的组织结构共享这些投资组合。
C. Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permissions. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.
中文翻译:
允许用户 IAM 角色拥有 AWSCloudFormationFullAccess 和 AmazonS3ReadOnlyAccess 权限。在 AWS 账户根用户级别添加组织 SCP 以拒绝除 AWS CloudFormation 和 Amazon S3 之外的所有服务。
D. Allow user IAM roles to have ServiceCatalogEndUserAccess permissions only. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints.
中文翻译:
仅允许用户 IAM 角色拥有 ServiceCatalogEndUserAccess 权限。使用自动化脚本将中央产品组合导入本地 AWS 账户、复制 TagOption、分配用户访问权限并应用启动限制。
E. Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company. Apply the TagOption to AWS Service Catalog products or portfolios.
中文翻译:
使用 AWS Service Catalog TagOption 库来维护公司所需的标签列表。将 TagOption 应用于 AWS Service Catalog 产品或产品组合。
F. Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.
中文翻译:
使用 AWS CloudFormation 资源标签属性强制将标签应用到将为用户创建的任何 CloudFormation 模板。
答案
BDE
解析
正确答案:BDE 解析: 本题应选择 BDE。 正确选项: B. 使用 AWS CloudFormation 模板开发基础设施服务。将每个模板作为 AWS Service Catalog 产品上传到在中央 AWS 账户中创建的产品组合。与为公司创建的组织结构共享这些投资组合。 D. 仅允许用户 IAM 角色拥有 ServiceCatalogEndUserAccess 权限。使用自动化脚本将中央产品组合导入本地 AWS 账户、复制 Tag...