Question 1:
You have strong regulatory requirements to only allow fully internally audited AWS services in production. You still want to allow your teams to experiment in a development environment while services are being audited. How can you best set this up?
Answer (3): By creating an AWS Organization with separate Organizational Units (OUs) for Prod and Dev, and applying a Service Control Policy (SCP) on the Prod OU, you effectively enforce compliance in your production environment while allowing flexibility for experimentation in development. This setup aligns with your regulatory requirements by ensuring only vetted services are accessible in production.
Question 2:
You are managing the AWS account for your company, and you want to give one of the developers access to read files from an S3 bucket. You have updated the bucket policy to this, but he still can't access the files in the bucket. What is the problem?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowsRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::static-files-bucket-xxx"
}]
}
Answer (3): The permission specified in the bucket policy only grants access to the bucket itself, not to the objects within it. By changing the resource to "arn:aws:s3:::static-files-bucket-xxx/*," you allow access to the individual files, which is necessary for object-level permissions.
Question 3:
You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that?
Answer (2): By selecting "Using AWS Organizations SCP," you correctly identified the most effective way to restrict access to specific AWS services across multiple accounts, as Service Control Policies provide a centralized method for managing permissions within your organization. This aligns with your goal of implementing governance and compliance measures across your AWS accounts effectively.
Question 4:
Which of the following IAM condition key you can use only to allow API calls to a specified AWS region?
Answer (4): It specifically allows or denies API calls based on the region specified in the request, aligning perfectly with the requirement of controlling access to a specified AWS region. This understanding helps you effectively manage permissions and enforce regional restrictions in your AWS environment.
Question 5:
When configuring permissions for EventBridge to configure a Lambda function as a target you should use ………………….. but when you want to configure a Kinesis Data Streams as a target you should use
Answer (2): Using a resource-based policy for EventBridge allows you to define permissions directly on the Lambda function, while an identity-based policy is appropriate for Kinesis Data Streams, as it manages permissions based on the IAM role or user accessing the service. This distinction is key for correctly configuring permissions in AWS.
To stay informed on the latest technical insights and tutorials, connect with me on Medium, LinkedIn, and Dev.to. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have. All blogs in this series will be optimized, fine-tuned, developed, and updated in a timely manner to reflect the latest AWS changes, exam updates, and real-world best practices.
Top comments (0)