Q7 — AWS SAP-C02 Ch.1

Question 7 of 75 | ← Chapter 1

Q82. A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA)is required at login, and specific roles are assigned to user groups.The company must create separate accounts for development, staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts The development account and the staging account must have access only to each other. Which combination of steps should a solutions architect take to meet these requirements? (Select THREE)

Correct Answer: A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations., C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables., D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts.

Explanation

To meet the requirements of a multi-account structure with centrally managed access and private network traffic, along with specific account connectivity, the recommended steps are: A. Deploy a landing zone environment using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts. Explanation: Step A: Deploy a landing zone environment using AWS Control Tower. AWS Control Tower provides a pre-configured, secure multi-account environment based on best practices. It enables the creation of separate accounts for development, staging, production, and shared network while ensuring a consistent and compliant setup. Enrolling and inviting existing accounts into the organization in AWS Organizations allows for centralized management of these accounts. Step C: Create transit gateways and transit gateway VPC attachments in each account. Transit gateways enable the hub-and-spoke model, allowing connectivity between accounts. By configuring appropriate route tables, you can control the traffic flow and ensure connectivity as required. This allows the production account and the shared network account to have connectivity to all accounts, while the development account and the staging account have access only to each other. Step D: Set up and enable AWS Single Sign-On (SSO). AWS SSO provides centralized access management and authentication to AWS accounts. By creating appropriate permission sets with required MFA, you can enforce MFA at login for the assigned roles and user groups. This ensures secure access to the AWS accounts and applications. These three steps address the requirements of a multi-account structure with centrally managed access, private network traffic, MFA at login, and specific account connectivity. Options B, E, and F are incorrect: Option B suggests enabling AWS Security Hub in all accounts to manage cross-account access and using AWS CloudTrail to force MFA login. While AWS Security Hub provides security visibility and compliance management, it does not directly address the requirements of account structure and connectivity. AWS CloudTrail alone does not enforce MFA login. Option E suggests enabling AWS Control Tower in all accounts to manage routing between accounts and using AWS CloudTrail to force MFA login. AWS Control Tower is already covered in Step A and addresses the account structure, but it does not manage routing between accounts. AWS CloudTrail alone does not enforce MFA login. Option F suggests creating IAM users and groups, configuring MFA, and setting up Amazon Cognito user pools and identity pools. While IAM users and groups can be part of the solution, Amazon Cognito is not necessary for achieving the requirements specified in the question. Therefore, the recommended steps are A, C, and D to meet the requirements of a multi-account structure with centrally managed access and private network traffic, including specific account connectivity. The three steps that a solutions architect should take to meet the company's requirements are:A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations. By deploying AWS Control Tower, the company can create a multi-account structure with centralized management and governance. The landing zone is pre-configured for security and compliance best practices, including setting up private networks. AWS Control Tower also provides an Organizational Unit (OU) structure, which enables the company to manage permissions and access controls across accounts. C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.Transit Gateway is a service that allows the company to connect multiple VPCs and VPN connections in a single hub. By creating Transit Gateway VPC attachments in each account, the company can enable connectivity between VPCs in different accounts while keeping the traffic on a private network. With this solution, the production account and shared network account can have connectivity to all accounts, while development and staging accounts can have access only to each other. D. Set up and enable AWS Single Sign-On. Create appropriate permission sets with required MFA for existing accounts.AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple accounts and applications. It simplifies user access by enabling users to sign in once using their existing corporate credentials, and then providing access to all of their authorized accounts and applications. By creating appropriate permission sets with required MFA for existing accounts, the company can assign specific roles to user groups and enforce MFA at login.Options B, E, and F are incorrect because:B. AWS Security Hub is a security service that helps the company to consolidate security alerts and findings across accounts and services. However, it does not manage cross-account access or enforce MFA login. E. AWS Control Tower is a service that helps the company to set up and govern a secure, compliant multi- account environment. It does not manage routing between accounts or enforce MFA login. F. IAM users and groups can be used to manage access to AWS resources within an account. However, they are not suitable for managing access between accounts. Amazon Cognito is a service that provides user sign-up, sign-in, and access control. However, it does not provide 翻译:解决方案架构师为满足公司要求应采取的三个步骤是:A. 使用 AWS Control Tower 部署登陆区环境.注册账户并邀请现有账户加入 AWS Organizations 中生成的组织.通过部署 AWS Control Tower,该公司可以创建具有集中管理和治理的多账户结构.着陆区已针对安全性和合规性最佳实践进行了预先配置,包括设置专用网络. AWS Control Tower 还提供组织单位 (OU) 结构,使公司能够管理跨账户的权限和访问控制. C. 在每个账户中创建中转网关和中转网关 VPC 连接.配置适当的路由表.Transit Gateway 是一项允许公司在单个中心连接多个 VPC 和 VPN 连接的服务.通过在每个账户中创建 Transit Gateway VPC 附件,公司可以启用不同账户中的 VPC 之间的连接,同时保持专用网络上的流量.通过此解决方案,生产帐户和共享网络帐户可以连接到所有帐户,而开发帐户和临时帐户只能相互访问. D. 设置并启用 AWS Single Sign-On.为现有帐户创建具有所需 MFA 的适当权限集.AWS 单点登录 (SSO) 可以轻松集中管理对多个账户和应用程序的访问.它允许用户使用现有的公司凭据登录一次,然后提供对其所有授权帐户和应用程序的访问权限,从而简化了用户访问.通过为现有帐户创建具有所需 MFA 的适当权限集,公司可以向用户组分配特定角色并在登录时强制执行 MFA.选项 B、E 和 F 不正确,因为:B. AWS Security Hub 是一项安全服务,可帮助公司跨账户和服务整合安全警报和发现结果.但是,它不管理跨帐户访问或强制 MFA 登录. E. AWS Control Tower 是一项帮助公司设置和管理安全、合规的多账户环境的服务.它不管理帐户之间的路由或强制 MFA 登录. F. IAM 用户和组可用于管理对账户内 AWS 资源的访问.但是,它们不适合管理帐户之间的访问. Amazon Cognito 是一项提供用户注册、登录和访问控制的服务.但是,它不提供