SOA-C02 · Question #696
SOA-C02 Question #696: Real Exam Question with Answer & Explanation
The correct answer is B: Create a service control policy (SCP) in the management account to deny all DynamoDB actions.. An SCP set in the management account and attached at the root of the organization applies a deny to every principal in every child account - including those using the root user - while leaving other services unaffected. IAM policies inside accounts cannot override an SCP deny, so
Question
A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services. Which solution will meet these requirements?
Options
- AIn all member accounts, configure IAM policies that deny access to all DynamoDB resources for all
- BCreate a service control policy (SCP) in the management account to deny all DynamoDB actions.
- CIn all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all
- DRemove the default service control policy (SCP) in the management account. Create a
Explanation
An SCP set in the management account and attached at the root of the organization applies a deny to every principal in every child account - including those using the root user - while leaving other services unaffected. IAM policies inside accounts cannot override an SCP deny, so this is the only way to guarantee DynamoDB is blocked everywhere without impacting access to
Community Discussion
No community discussion yet for this question.