IAM, Policies, Roles & Accounts, Tagging Flashcards
Which of the following AWS ORG Related statements are true (Choose 2)
An org always has a management account
A management account is not affected by SCPs
A SysOps Administrator needs to track the usage of cloud resources against the AWS service limit. For easier tracking, the SysOps Administrator team should be notified in the existing Slack channel whenever it is approaching a given limit which will allow them to proactively request a service limit increase or shut down resources before it exceeds the limit.
Which of the following is the most suitable solution that can be implemented to meet this requirement?
Set up AWS Limit Monitor by using AWS Lambda, AWS Trusted Advisor, and Amazon EventBridge rules to track and monitor your AWS service limits which would be sent to your Slack Channel
A startup company is planning to build their cloud-based enterprise resource planning application in AWS. You are working as their SysOps Administrator and one of the founders asked you to design and build a cost-effective cloud architecture. After deploying and configuring the resources, you have to ensure that it complies with the AWS best practices.
Which of the following services would you use to help you reduce cost, increase performance, and improve the security of your AWS resources?
AWS Trusted Advisor
NOT AWS Inspector A is incorrect because AWS Inspector is used to check for vulnerabilities in resources such as EC2 Instances. It does not provide a report on how you can further improve your architecture, unlike with Trusted Advisor.
A retail company is using AWS Organizations to manage user accounts. The consolidated billing feature is enabled to consolidate billing and payment for multiple AWS accounts. Member account owners requested to get the benefits of Reserved Instances (RIs) but they don’t want to share RIs with other members of the AWS Organization.
Which steps should the SysOps administrator perform to achieve the requirements?
Go to Billing Preferences in the management account and disable RI discount sharing. Then, purchase the RIs using individual member accounts.
A SysOps Administrator needs to grant a user the ability to pass any of the approved set of roles to the Amazon EC2 service upon launching an instance. This will enable the user to start an EC2 instance with an assigned role. In effect, the applications running on the instance can access temporary credentials for the role through the instance profile metadata.
Which of the following options should the Administrator implement together to accomplish this requirement? (Select TWO.)
– Set up an IAM permissions policy attached to the IAM Role that determines the actions that it must perform. Afterward, create a trust policy for the role that allows the service to assume the role.
– Set up an IAM permissions policy attached to the IAM user that allows the user to pass only those roles that are approved. Use the iam:PassRole and iam:GetRole permissions in order for the user to get the details of the role to be passed.
An administrator has launched new AWS accounts. Management wants that IAM users across all accounts be able to sign in using a single login URL as shown below:
https://tutorialsdojo.signin.aws.amazon.com/console
How can the administrator meet the requirement?
Having a single login URL for different AWS accounts is not possible.
A company with a multi-account AWS environment has several AWS resources that are shared with an external entity. To improve the security posture of the company’s cloud infrastructure, the SysOps Administrator needs to preview any changes to be implemented in the existing resource permissions. The Administrator must ensure that the new policy changes grant only the intended public and cross-account access to their specified cloud resource. A weekly report is also necessary which contains a list of all the access and the external principal granted to each shared AWS resource.
What should the Administrator do to satisfy the given requirement?
Set up IAM Access Analyzer to preview any upcoming resource permission changes and for generating findings containing a list of all the access and the external principal granted to each shared AWS resource.
A company wants to track and review the usage of its resources due to an exorbitant AWS bill that they received recently. The SysOps Administrator needs to view the costs for the current month as well as the last three months. She also needs to be able to forecast expenses for the current billing period.
Which of the following AWS Cost Management tools should the Administrator use?
Cost Explorer
NOT AWS Cost and Usage report
s incorrect because this tool doesn’t forecast your future costs. It just lists the AWS usage for each service category used by an account and its IAM users in hourly or daily line items, as well as any tags that you have activated for cost allocation purposes.
A company plans to develop a solution to enforce the tagging of all EC2 instances that will be launched in the VPC including all of the EBS volumes that are attached in the instances. This is to allow administrators to easily manage tags on provisioned products with a consistent taxonomy. With this strategy, the company will be able to centrally manage commonly deployed IT services, helping them to achieve consistent governance and meet compliance requirements.
Which of the following is the most suitable solution that they should implement to meet this requirement?
AWS Service Catalog TagOption Library.
NOT Enabling the Cost Allocation Tags feature which will automatically tag your resources
A software development company allows its 75 developers to create and manage resources using a Developer AWS Account. The finance team notices a significant spending increase in the account. The SysOps Administrator is assigned to collect information about the service costs of each developer to optimize costs.
How can the SysOps Administrator achieve this requirement? (Select TWO.)
– Enable the createdBy tag in the Billing and Management console.
– Use Cost Explorer to gain insight into the resources created by developers
NOT Utilize Trusted Advisor to track the resources created by an IAM User
Trusted Advisor = NOT Granular, NO CW
A global technology company has thousands of employees around the globe that are using Amazon VPC Cloud. As part of the company’s security compliance, IT auditors have requested a Credential report which contains a list of AWS users that contains their current status, their access key usage, and if they are using Multi-Factor Authentication (MFA) or not.
How can the SysOps Administrator generate the report required by the auditors?
Go to AWS IAM Console and download the Credential report.
A former colleague reached out to you for consultation. He uploads a Django project in Elastic Beanstalk through CLI using instructions he read in a blog post, but for some reason he could not create the environment he needs for his project. He encounters an error message saying “The instance profile aws-elasticbeanstalk-ec2-role associated with the environment does not exist.”
What are the possible causes of this issue? (SELECT TWO.)
– Elastic Beanstalk CLI did not create one because your IAM role has no permission to create roles.
– IAM role already exists but has insufficient permissions that Elastic Beanstalk needs.
NOT You have not associated an Elastic Beanstalk role to your CLI is incorrect because logging in to the CLI also assumes the role in your account.
A company has numerous AWS accounts and is managed using AWS Organizations. The finance department has requested a monthly breakdown of cloud expenditures for each department. AWS Systems Manager OpsCenter is used as a centralized location to manage operational work items of the corporate AWS resources across AWS accounts.
What sequence of actions should the SysOps Administrator take in order to supply the required information? (Select TWO.)
– In the AWS Organizations management account, go to the AWS Billing and Cost Management console and activate the cost allocation tag named “Department”. Utilize a tag policy to enforce a “Department” tag on newly created resources.
– Utilize the AWS Resource Groups Tag Editor to identify resources lacking tags in each account. Apply a tag named “Department” to any resources that are untagged.
NOT Configure an AWS Config rule across all accounts in the organization to mark resources without a “Department” tag as non-compliant is incorrect because AWS Config rules are primarily used to evaluate the compliance of resources against predefined configuration policies. It does not provide financial or billing information in AWS.
A company has multiple AWS accounts that are consolidated using AWS Organizations. A Systems Engineer has been tasked to set up a cloud-based single sign-on (SSO) service to centrally manage SSO access to all of the company’s AWS accounts and cloud applications. The Engineer has already created a directory in the master account using the AWS Directory Service. Full access has also been configured by the Engineer in AWS Organizations.
Which of the following should the Engineer configure to complete the setup?
Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.
NOT For each member account, set up IAM roles that will be used by AWS SSO. Associate the users with these IAM roles using AWS SSO is incorrect because you don’t need to set up IAM roles for each member account. You only need to set up permission sets in AWS SSO and associate them with the AWS Directory Service users and groups.
A large technology company owns several IT Consulting firms and has individual AWS accounts. As the SysOps Administrator, you are responsible for setting up their cloud architecture, ensuring that they are able to centrally manage policies and billing for their multiple AWS accounts.
Which of the following options would you implement to satisfy this requirement?
Use AWS Organizations to connect all of their AWS accounts.
NOT Use Consolidated Billing is incorrect because this is just for consolidating billing and payment for multiple AWS accounts.
