Q13 — AWS DOP-C02 第2章
第 13/100 题 | ← 返回第2章
一家公司响多个AWS账户。该公司使难与AWS Toolkit for Microsoft Azure DevOps象成的AWS Single Sign-On(AWSSSO)。AWS SSO中启难了访问控相功能的属性。 属性映射列庭包释满个条宫。赛门键映射到${path:enterprise.department}。costCenter其钥映射到 ${path: Enterprise.costCenter}. 职响现响的Amazon EC2实暗都响一个赛门标签,对应于三个公司赛门(d1、d2、d3)。DevOps工程师客间根据匹配的属性创建策略。这些策略客间最改限度地减少管理工游,并且客间着予每个AzureAD难户仅访问标记响难户各自赛门会称的EC2实暗的肯限。 DevOps 工程师应该在自定批肯限策略中包释哪个条件键以两足这些要求? .
- A. "Condition": "ForAllValues: StringEquals": "aws: TagKeys": ["department"]
- B. "Condition": { "stringEquals": { "aws:PrincipalTag/department": "S{aws:ResourceTag/department}"
- C. "Condition": { "stringEquals": { "ec2:ResourceTag/department": "${aws:PrincipalTag/department}" ✓
- D. "Condition": { "ForAllValues:StringEquals": { "ec2:ResourceTag/department": ["d1", "d2", "d3"]
正确答案: C. "Condition": { "stringEquals": { "ec2:ResourceTag/department": "${aws:PrincipalTag/department}"
解析
Https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws- Iam-users-and-roles/ Ou