Secure User and Resource Management for Dynamic AWS Environments | AWS Well-Architected Framework

Effective User and Resource Management for Dynamic AWS Environments

Question

Based on the AWS Well-Architected Framework, how should a start-up company with a dynamic AWS environment manage its users and resources securely without affecting the cost? Select (TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answer: C and D.

Option A is INCORRECT because creating multiple IAM users with administrator privileges is not a best practice.

Rights and privileges should be assigned on a least privileged basis.

Option B is INCORRECT because AWS CloudFront service is a content distribution service that does not have configuration templates, neither does it perform this function.

This is the function of AWS CloudFormation.

Option C is CORRECT Based on the Cost and Optimization pillar, a focal area is the analysis of cost within the AWS environment and how they are distributed within functional groups or departments of the company.

And AWS Organization provides composite billing into a single account.

Option D is CORRECT Based on the Security pillar, it is advantageous to filter unwanted traffic at VPC-edge rather than on the hosts.

It is a best practice to drop undesirable packets before they enter the AWS.

Option E is INCORRECT because provisioning of resources and compute capacity that accommodates future growth means that there is a capacity that is idle in anticipation of long-term growth.

According to the AWS Well-Architected Framework reliability pillar, this is not cost-effective; the company should only pay for what is being used.

References.

https://wa.aws.amazon.com/wat.pillar.costOptimization.en.html https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/wellarchitected-security-pillar.pdf

Based on the AWS Well-Architected Framework, managing users and resources securely while minimizing costs requires a comprehensive approach. The framework outlines several best practices that companies can follow to achieve this goal. However, for the given scenario of a start-up company with a dynamic AWS environment, the two most relevant solutions are:

C. Use of AWS Organizations with respective OUs that differentiate billing across the company's functions: AWS Organizations is a service that helps to consolidate multiple AWS accounts into an organization that can be centrally managed. Organizations provide a set of policy-based controls for managing billing, security, and compliance across multiple accounts. A start-up company with a dynamic AWS environment can use AWS Organizations to group its resources into organizational units (OUs) based on business functions, projects, or teams. This way, the company can easily track and allocate its AWS spending by function or team without compromising security.

E. Provisioning of resources and compute capacity that accommodates future growth: A start-up company with a dynamic AWS environment needs to provision its resources and compute capacity based on expected growth. To minimize costs, it is important to avoid over-provisioning or under-provisioning of resources. Companies can use services like AWS Auto Scaling to automatically scale their resources up or down based on demand. This way, the company can ensure that it has enough resources to handle expected growth without wasting money on idle resources.

A, B, and D are not the most relevant solutions in this scenario because:

A. Creating multiple unique IAM users with administrator access for each functional group of the company is not a good practice because it can lead to increased administrative overhead and higher security risks. It is better to follow the principle of least privilege and give users only the permissions they need to perform their jobs.

B. Using AWS CloudFront template versions and revision controls to keep track of the dynamic configuration changes is more relevant for managing web content delivery than for managing users and resources securely.

D. Implementing the most stringent security measures on the VPC-edge rather than on the resource hosts is not the best practice because it can lead to increased complexity and lower performance. Instead, companies should implement security measures at multiple layers, including the VPC-edge, resource hosts, and applications, to achieve defense in depth.