Professional Documents
Culture Documents
Whizlabs AWS-SAP-01-AWS Organization
Whizlabs AWS-SAP-01-AWS Organization
Question 1 Correct
You are providing AWS consulting services to an IT company. This company owns dozens of AWS accounts and prefers to set up an AWS Organization so that
all of these accounts can be managed together under a root account. The AWS administrator planned to create invitations for other accounts and asked for
your advice. About inviting other accounts to join an AWS Organization, which statements are correct? (Select TWO.)
A. Organization invitations can only be created through the AWS Organization console.
z B. One AWS account can join only one Organization even if it receives multiple invitations.
A
C. Only the root user of an AWS account can create invitations.
z E. If an invitation is not accepted or rejected for over 15 days, the invitation will expire.
A
Explanation:
Correct Answer – B, E
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html.
Option A is incorrect because AWS CLI or AWS API also works such as aws organizations invite-account-to-organization.
Option B is CORRECT because one account can only join one AWS Organization.
Option C is incorrect because it can be an IAM user as long as it has proper IAM permissions.
Option D is incorrect because there is a limitation of creating invitations. Users can send up to 20 invitations per day per organization.
Option E is CORRECT because invitations must be responded within 15 days otherwise they will expire.
Question 2 Correct
As an AWS Solutions Architect, you are in charge of the configuration of a new AWS Organization among several AWS accounts. You already created an
Organization and sent invitations for other accounts to join. Most AWS accounts can join the Organization successfully. However, for one AWS account, it did
not receive the invitation email so that it did not know how to join. How should you fix the problem?
] A. In the root AWS account, select the pending invitation and choose “resend email”.
z] B. In the root AWS account, cancel the invitation and then create a new invitation to this AWS account.
A
] C. Contact AWS enterprise support to help you resend the invitation email to this AWS account.
] D. In the root AWS account of the Organization, wait until the invitation expires and then create a new invitation to the AWS account.
Explanation:
Correct Answer – B
One thing to note is that for open invitations, users can only perform the Cancel operation.
Option A is incorrect because the user cannot resend the same invitation if it is still in the Open state.
Option B is CORRECT because only after the first invitation is canceled, the user can create a new one to the same email id. If there is already one open
invitation, the user cannot create another one to the same account. The error can be found below:
Option D is incorrect because it has to wait for 15 days until it expires, which is unnecessary.
Question 3 Correct
You are an AWS Solutions Architect in a financial company. The company recently started working on migrating legacy applications to AWS. You planned to
use a new AWS Organization to manage all AWS accounts so that you can easily configure accounts, assign organizational units, configure security policies,
etc. Which methods are valid for you to add accounts to the Organization? (Select TWO.)
For other accounts, use root accounts to login to the AWS Organization console, create requests to the Organization owner to join the
C.
organization.
z D. In the root account of the Organization, create invitations to other accounts and wait for them to accept the invitations.
A
For other accounts, create a cross-account IAM role that allows the operation of add-account-to-organization for the resource of the AWS
E.
Organization ARN. Use an IAM user to assume the IAM role and send an API call to add the account to the Organization.
Explanation:
Correct Answer – A, D
There are two methods to add accounts to the AWS Organization either through creating new accounts within an Organization or creating invitations. Please
refer to
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html
and
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html.
Option A is CORRECT because the user can create a new account that is part of the Organization.
Option B is incorrect because other accounts can not create requests to join the Organization. There is no CLI request-join-to-organization as well.
Option C is incorrect because, in the AWS console, users cannot create requests to join an Organization. However, they can accept invitations.
Option D is CORRECT because this can be done through the AWS console, CLI, or API.
Option E is incorrect because the cross-account IAM role is not required in this scenario. Also, there is no API call to add to an organization for other
accounts.
Question 4 Correct
Your team’s AWS account is a root account of an AWS Organization and you are in charge of configuring Organizational Units within the Organization. At the
moment, each Organizational Unit is supposed to be connected with a team. However, sometimes because of project changes or team restructuring,
Organizational Units need to be adjusted as well. Which operation is valid for Organizational Units?
] B. As an AWS account is used by two departments, move the account to be a member of two OUs.
An OU and its members are no longer needed due to business needs, you can delete the OU directly and the members will be automatically
] C.
removed from the AWS Organization.
Explanation:
Correct Answer – D
An Organizational Unit can have AWS accounts and other Organizational Units as members. This makes the whole structure similar to a tree. The accounts
are organized in a hierarchical, tree-like structure. Check
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html
Option A is incorrect: Because an OU can have only one parent. This is explained in
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html.
Option B is incorrect: Similar to Option A, an AWS account can be a member of only one OU.
Option C is incorrect: Before deleting an OU, you must firstly move all accounts out of the OU and any child OUs, and the child OUs need to be deleted as
well.
Option D is CORRECT: This is the right answer as none of the others are valid.
Question 5 Correct
You have signed in an AWS Organization's master account using an admin IAM user. You need to move accounts in this Organization from one OU
(Organizational Unit) to another, or back to the root from an OU. However, the operation was disallowed due to a lack of permissions. So you started looking
at the IAM policies attached to this user. What are the minimum permissions you need to move accounts among OUs? (Select TWO.)
A. organizations:DescribeAccount
z B. organizations:DescribeOrganization
A
z C. organizations:MoveAccount
A
D. organizations:AttachPolicy
E. organizations:*
Explanation:
Correct Answer – B, C
Users can move accounts between the Root and OUs in AWS Organization according to
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html.
Option A is incorrect because organizations:DescribeAccount is used to retrieve Organization details about the account, which is not required.
Option B is CORRECT because organizations:DescribeOrganization is required if the move operation is done from console.
Option E is incorrect: because this will allow all actions for Organizations, which does not meet the least privilege.
Question 6 Correct
You have maintained an AWS Organization and the Organization has below OUs (Organizational Units) configured:
Root - Dev_Department (account 1, account 2)
- QA_Department (account 3, account 4)
The OUs Dev_Department and QA_Department are the children of the Root and each has two accounts as members. Due to a recent organizational change,
QA_Department needs to be a child of Dev_Department. And account 3 and account 4 should be still the members of QA_Department.
How should you achieve this requirement?
] A. In the tree view of AWS Organization console, drag and drop QA_Department and its members to be a child of Dev_Department.
Move accounts 3 and 4 out of the AWS Organization, move QA_Department to be a child of Dev_Department. Add accounts 3 and 4 back to
] B.
QA_Department.
Create a new OU under Dev_Department named QualityAssurance_Department. Move accounts 3 & 4 to the new OU. Delete the original
]
z C.
empty OU QA_Department. A
Move accounts 3 and 4 under the Root of the AWS Organization. Use CLI move-organizational-unit to move QA_Department to be a child of
] D.
Dev_Department. Then add accounts 3 and 4 to QA_Department.
Explanation:
Correct Answer – C
For OUs, there are limited operations that users can do. Please check
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html.
One thing to note is that the user cannot move an OU to another place from the console or CLI command. So the user has to create a new OU and move
accounts to it.
Option A is incorrect: because the user cannot drag and drop an OU to another place.
Option B is incorrect because it is unnecessary to move accounts out of the Organization otherwise you have to re-invite these accounts.
Option C is CORRECT because users can move accounts from an OU to another. After that, empty OU can be deleted.
Option D is incorrect because there is no such CLI command to move an Organizational Unit.
Question 7 Correct
In an AWS Organization, the Root is attached with a default SCP that allows all actions on all resources. And other OUs or AWS accounts are attached with
SCPs that contain Deny lists. For example, an SCP that denies cloudtrail:StopLogging is attached to an OU. However, you think that the Deny lists can be
improved to contain more services such as those that are not used. How would you find out the services that are allowed by the SCP but are never used?
] A. In AWS Organization console, identify allowed services that are never used by AWS accounts.
] B. In the IAM credential report of AWS accounts, examine those services that are not required to be allowed by SCPs.
] C. In AWS Config Resources, list the AWS services that are not used by IAM users.
z] D. In the IAM Organization activity, check last accessed data to identify services that are never used.
A
Explanation:
Correct Answer – D
Refer to
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
Option A is incorrect because AWS Organization console does not contain the last access data.
Option B is incorrect because the IAM credential report provides IAM user information. There is no access data for AWS Organization.
Option C is incorrect because AWS Config Resources do not show resource information related to the Organization. The user cannot identify which
services are not used in AWS Config.
Option D is CORRECT because service report in Organization Activity can help in identifying the services to be included in the Deny lists. Take below
screenshot as an example:
Question 8 Correct
z] A. The action will be denied as the SCP in Admin_OU denies the operation.
A
] B. The action will be allowed as the SCP in the root has full AWS access and Bob is attached with full S3 permissions.
] C. The action will be denied as SCP in DEV1_OU has an S3 Deny policy, which takes priority.
] D. The action will be allowed as DEV2_OU is attached with an S3 Allow SCP policy, which takes priority.
Explanation:
Correct Answer – A
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html.
One rule is that any action that has an explicit Deny always takes priority.
Option A is CORRECT because DEV2_OU inherits the SCP in Admin_OU which contains a Deny policy. The policy overrides any Allow that other SCPs might
grant.
Option B is incorrect: because other SCPs that the OU has inherited should also be considered.
Option C is incorrect because the SCP in DEV1_OU does not need to be considered as it is not a parent node for user Bob.
Option D is incorrect: because the Allow policy does not override a Deny policy if it exists.
Question 9 Correct
Accounts in Security_OU are from the security team who needs to audit the AWS resources in Project_OU. The Project_OU includes DEV_OU and QA_OU
which belong to the development department and QA department. For security concerns, all AWS users in both development and QA department are not
allowed to perform certain actions such as the deletion of IAM roles. How would you achieve that?
] A. Create an SCP that denies required actions and attach it to Root. Attach another SCP that contains an Allow list in Project_OU.
] D. Root has a default SCP attached. Create an SCP that denies the required actions. Attach it to Project_OU, DEV_OU, and QA_OU.
Explanation:
Correct Answer – B
OUs in AWS Organization inherit the SCPs from the parent OU. Reference can be found in
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html.
Option A is incorrect because it is improper to attach the Deny SCP to Root as it affects all other nodes including Security_OU.
Option B is CORRECT: because the Deny SCP only affects all OUs under Project_OU. Other OUs such as Security_OU are not influenced.
Option C is incorrect because Project_OU and Security_OU do not need to attach with a full access SCP since they can inherit the one from Root.
Option D is incorrect: because DEV_OU and QA_OU are not required to attach the Deny SCP since Project_OU already has that.
Question 10 Correct
You are an AWS architect in an IT startup company. Last month you have configured an AWS Organization. Although the default feature set of AWS
Organization is “All Features”, you only enabled “Consolidated Billing” feature at that time. Later on, you found it was necessary to use service control policies
(SCPs) to provide a central control so you have enabled “All Features” for the Organization. Recently, the company is short on budget and has to do a cost
reduction. Your manager asked you whether you can modify “All Features” to “Consolidated Billing” in order to save some cost. How would you answer this
question?
All attached SCPs need to be detached first in the Organization before All Features is changed to Consolidated Billing. This can also save some
] A.
cost as Consolidated Billing is a free feature.
All Features can be switched to Consolidated Billing as long as the user has proper IAM permission. However, it will not save any cost as
] B.
Consolidated Billing and All Features charge the same.
Users can switch between All Features and Consolidated Billing anytime. However, this will not save any cost since AWS Organization is offered
] C.
without charge as long as there are more than 5 OUs in the Organization.
z] D. All Features cannot be switched back to Consolidated Billing. Besides, AWS Organization is a free service so it is not required to modify it.
A
Explanation:
Correct Answer – D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html.
AWS Organization itself is a free service. Users are only charged for the AWS resources in their accounts.
Option A is incorrect: All Features cannot be switched back to Consolidated Billing. This is described in
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html.
Option C is incorrect: AWS Organization is a free service regardless of how many OUs in the Organization.
Option D is CORRECT: After All Features is enabled, it cannot be changed back. Besides, since it is a free service, you have to consider other AWS services
in order to save some cost.
Finish Review
Cloud Certification Become Our Instructor Contact Us Join our open Slack community and
get your queries answered instantly!
Java Certification Support Help Topics Our experts are online to answer
your questions!
PM Certification Discussions
Follow us
Big Data Certification Blog
hom
Business