SAP-C02 · Question #86
SAP-C02 Question #86: Real Exam Question with Answer & Explanation
The correct answer is B: Remove the FullAWSAccess SCP from the Developer account's OU.. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strate gie s.html#orgs_policies_allowlist To use SCPs as an allow list, you must replace the AWS managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that
Question
A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2, Amazon S3, and Amazon DynamoDB. The developers account resides in a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account: When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy. What should the solutions architect do to eliminate the developers' ability to use services outside the scope of this policy?
Options
- ACreate an explicit deny statement for each AWS service that should be constrained.
- BRemove the FullAWSAccess SCP from the Developer account's OU.
- CModify the FullAWSAccess SCP to explicitly deny all services.
- DAdd an explicit deny statement using a wildcard to the end of the SCP.
Explanation
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strate gie s.html#orgs_policies_allowlist To use SCPs as an allow list, you must replace the AWS managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow. By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied. Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you
Community Discussion
No community discussion yet for this question.