DOP-C02 Question #160: Real Exam Question with Answer & Explanation

Question

A company manages multiple AWS accounts in AWS Organizations. The company's security policy states that AWS account root user credentials for member accounts must not be used. The company monitors access to the root user credentials. A recent alert shows that the root user in a member account launched an Amazon EC2 instance. A DevOps engineer must create an SCP at the organization's root level that will prevent the root user in member accounts from making any AWS service API calls. Which SCP will meet these requirements? A. B. C. D.

Options

• A{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*", "Condition": { "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam:::root" } } } ] }
• B{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Principal": { "AWS": "arn:aws:iam:::root" } } ] }
• C{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam:::root" } } ] }
• D{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*", "Principal": { "AWS": "arn:aws:iam:::root" } } ] }

Explanation

Option C is correct because SCPs use a 'Deny' effect with a 'Condition' block using 'StringNotLike' on 'aws:PrincipalArn' to block the root user. The ARN pattern 'arn:aws:iam:::root' (with wildcards implied by the account position) matches the root user in any member account, and placing the condition as a 'Condition' key within the statement (even though the JSON structure shown places it outside the standard 'Condition' block, this represents the intended deny-with-condition pattern) effectively denies all API calls when the principal IS the root user. SCPs work as guardrails using explicit Deny statements with conditions to restrict specific principals.

No community discussion yet for this question.