Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in understanding the boundaries of cross-account Service Catalog portfolio sharing and permission delegation. In production, this is about knowing exactly what an importing account’s administrator can and cannot do when a portfolio is shared from another AWS account. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
OmegaTech Solutions is a multinational company that uses AWS Service Catalog to centrally manage approved AWS resources. The AWS infrastructure team in the primary account created a curated Service Catalog portfolio containing standardized products such as EC2 templates and Lambda functions. This portfolio is shared with the Security Operations account to enable secure and compliant deployment of resources.
The Security Operations team’s AWS Administrator, who controls the receiving account, wants to understand what actions they can perform regarding the imported portfolio and its products.
The Requirement: #
Identify what actions the Security Operations AWS Administrator can perform on the imported Service Catalog portfolio and its products.
The Options #
- A) Add products from the imported portfolio into a new local portfolio within their account.
- B) Add new products to the imported portfolio itself.
- C) Modify the launch roles used by products in the imported portfolio.
- D) Customize (modify) the products included in the imported portfolio.
Google adsense #
leave a comment:
Correct Answer #
A
Quick Insight: The SysOps Imperative #
An importing account can organize products locally but cannot alter or extend the original shared portfolio. Understanding these access boundaries helps prevent accidental misconfigurations.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
When an AWS Service Catalog portfolio is shared across AWS accounts, the receiving account imports a read-only copy of the portfolio. The importing administrator can create a new local portfolio in their account and add products from the imported portfolio into that local portfolio, enabling them to organize and provision approved products locally.
However, cross-account sharing does not allow the importing account to modify the original shared portfolio or its products:
- They cannot add new products to the imported portfolio (Option B).
- They cannot change the launch roles assigned within the shared portfolio’s products (Option C).
- They cannot customize the products themselves in the imported portfolio (Option D).
The sharing model is designed to maintain centralized governance and security controls in the source account, preventing modification by external administrators.
The Trap (Distractor Analysis): #
-
Why not B?
The imported portfolio is essentially a snapshot in the receiving account, not editable. Adding new products requires changes in the source portfolio only. -
Why not C?
Launch roles define permissions for product provisioning. These roles are defined in the source account’s product and cannot be altered remotely. -
Why not D?
Customization of products (templates/configurations) only happens in the owning account. Imported portfolios are immutable read-only copies.
The Technical Blueprint #
For SysOps / SOA candidates, a CLI snippet demonstrating portfolio sharing and importing:
# Share a portfolio from the source account
aws servicecatalog associate-budget-with-resource --portfolio-id port-xxxx --budget-name "DeploymentBudget"
# In the importing account, list imported portfolios
aws servicecatalog list-portfolios --query "PortfolioDetails[?Type=='IMPORTED']"
# Create a local portfolio and add products from imported portfolio
aws servicecatalog create-portfolio --display-name "SecOps Local Portfolio" --provider-name "OmegaTech Security Team"
aws servicecatalog associate-product-with-portfolio --product-id prod-xxxx --portfolio-id local-port-xxxx
The Comparative Analysis (SysOps Focus) #
| Option | Operational Overhead | Automation Level | Impact on Governance |
|---|---|---|---|
| A | Low – standard local setup | Medium – can automate local portfolio creation | Preserves centralized control, safe approach |
| B | High – requires modifying source portfolio (not allowed) | None | Breaks governance, not permitted |
| C | Medium – role mismanagement risk | Low | Potential security risk, not permitted remotely |
| D | High – modification outside source control | None | Violates principle of centralized compliance |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always remember: Imported portfolios are read-only—manage products locally.”
Real World #
“In reality, teams often design with strict portfolio ownership to ensure security and audit controls, sharing only curated portfolios without direct write access.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.