nerdexam
ExamsSCS-C02Questions#140
AmazonAmazon

SCS-C02 · Question #140

SCS-C02 Question #140: Real Exam Question with Answer & Explanation

The correct answer is A: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" ], "Resource": "*" } ] }. Option A is correct because it uses a targeted Deny SCP that explicitly blocks only the specific actions needed to disable GuardDuty and Security Hub (DeleteDetector, UpdateDetector, DisableSecurityHub). In AWS Organizations, SCPs work as guardrails - a Deny in an SCP always over

Submitted by neha2k· Mar 6, 2026Identity and Access Management / Security Governance - implementing preventive controls using Service Control Policies (SCPs) to enforce security baselines across an AWS Organization without disrupting existing IAM permissions.

Question

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts. All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts. Which SCP should the security engineer attach to the root of the organization to meet these requirements? A. B. C. D.

Options

  • A{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" ], "Resource": "*" } ] }
  • B{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*:*,y" ], "Resource": "*" }, { "Effect": "Allow", "NotAction": [ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" ], "Resource": "*" } ] }
  • C{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*:*", "Resource": "*" }, { "Effect": "Deny", "NotAction": [ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" ], "Resource": "*" } ] }
  • D{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": [ "guardduty:DeleteDetector", "guardduty:UpdateDetector", "securityhub:DisableSecurityHub" ], "Resource": "*" } ] }

Explanation

Option A is correct because it uses a targeted Deny SCP that explicitly blocks only the specific actions needed to disable GuardDuty and Security Hub (DeleteDetector, UpdateDetector, DisableSecurityHub). In AWS Organizations, SCPs work as guardrails - a Deny in an SCP always overrides any Allow in IAM policies, and because this SCP only denies specific actions without touching others, it does not override or restrict any other permissions granted by IAM policies in member accounts. The existing FullAWSAccess SCP already provides broad Allow coverage, so no additional Allow statements are needed in this SCP.

Topics

#AWS Organizations SCPs#IAM Security Controls#GuardDuty#Security Hub

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SCS-C02 PracticeBrowse All SCS-C02 Questions