MemberOctober 4, 2020 at 10:28 am
For the question which is
The AWS resources in your production account is shared among various business units of the
company. A single business unit may have one or more AWS accounts which have resources in
the production account. There were a lot of incidents in which the developers from a specific
business unit accidentally terminated the EC2 instances owned by another business unit. You
are tasked to come up with a solution to only allow a specific business unit who own the EC2
instances, and other AWS resources, to terminate their own resources.
Explanation is there given, but could have given in better way. Also some explanation by taking the correct option, and explaining why it is correct.
MemberOctober 8, 2020 at 11:46 pm
Thanks for the feedback.
I’ve update the explanation section to include more details on why the chosen answer is correct.
- The scenario on this question has a lot of AWS Accounts that need to be managed. AWS Organization solves this problem and provides you with control by assigning the different business units as individual Organization Units (OU). Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. However, SCPs alone are not sufficient for allowing access in the accounts in your organization. Attaching an SCP to an AWS Organizations entity just defines a guardrail for what actions the principals can perform. You still need to attach identity-based or resource-based policies to principals or resources in your organization’s accounts to actually grant permission to them.
- Since SCPs only allow or deny the use of an AWS service, you don’t want to block OUs from completely using the EC2 service. Thus, you will need to provide cross-account access and the IAM policy to every member accounts of the OU.
- Hence, the correct answer is: Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Create an IAM Role in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the IAM policy to every member accounts of the OU.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Kenneth Samonte @ Tutorials Dojo
Log in to reply.