AWS Certified Solutions Architect – Professional (SAP-C02) — Question 390

An enterprise company is building an infrastructure services platform for its users. The company has the following requirements:

• Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.
• Use a central account to manage the creation of infrastructure services.
• Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.
• Provide the ability to enforce tags on any infrastructure that is started by users.

Which combination of actions using AWS services will meet these requirements? (Choose three.)

Answer options

• A. Develop infrastructure services using AWS CloudFormation templates. Add the templates to a central Amazon S3 bucket and add the IAM roles or users that require access to the S3 bucket policy.
• B. Develop infrastructure services using AWS CloudFormation templates. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS account. Share these portfolios with the Organizations structure created for the company.
• C. Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permissions. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.
• D. Allow user IAM roles to have ServiceCatalogEndUserAccess permissions only. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints.
• E. Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company. Apply the TagOption to AWS Service Catalog products or portfolios.
• F. Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.

Correct answer: B, D, E

Explanation

AWS Service Catalog is the ideal tool to centrally manage, share, and enforce governance rules for user-provisioned infrastructure. By creating portfolios in a central account and sharing them via AWS Organizations (Option B), the company achieves centralized management and distribution. Restricting users to ServiceCatalogEndUserAccess and using launch constraints ensures least-privilege access because users do not need direct permissions to create the underlying resources (Option D). Finally, the Service Catalog TagOption Library allows administrators to enforce specific tagging rules dynamically as products are launched (Option E).