AWS Certified Solutions Architect - Professional

A company will several AWS accounts is using AWS Organizations and service control policies (SCPs). An Administrator created the following SCP and has attached it to an organizational unit (OU) that contains AWS account 1111-1111-1111: { "Version": "2012-10-27" "Statement": [ { "Side": "AllowsAllActions", "Effect": "Allow", "Action": "", "Resource": "" }, { "Side": "DenyCloudTrail", "Effect": "Deny", "Action": "CloudTrail:", "Resource": "" } ] } Developers working in account 1111-1111-1111 complain that they cannot create Amazon S3 buckets. How should the Administrator address this problem?

Exam-Like

Add s3:CreateBucket with "Allow" effect to the SCP.

Remove the account from the OU, and attach the SCP directly to account 1111-1111-1111.

Instruct the Developers to add Amazon S3 permissions to their IAM entities.

Remove the SCP from account 1111-1111-1111.

Explanation:

A.Explicit deny will overwrite any allow https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html B.Will still stop the action C.IAM cannot overwrite SCP, both of them need to allow the action, but the policy did not deny create s3 bucket permission D.Will work, probably not the best choice There should be a SCP written somewhere, but B,D doesn't look correct at all. https:// docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html_

AWS Certified Solutions Architect - Professional

Comments

Get started today