AWS Certified DevOps Engineer - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
In an AWS Organizations setup, the root contains an OU named 'Environments', which in turn has two child OUs: 'Development' and 'Production'. All these OUs currently have the default FullAWSAccess policy. A DevOps engineer intends to remove the FullAWSAccess policy from the 'Development' OU and replace it with a policy that permits all actions exclusively on Amazon EC2 resources. What would be the resulting access control effect for users within the 'Development' OU after this policy change?
Explanation:
The correct answer is B. In AWS Organizations, for permissions to be effective for a specific account, an explicit Allow statement must exist at every level from the root through each OU in the direct path to the account, including the account itself. Removing the FullAWSAccess policy and replacing it with a policy that only allows actions on Amazon EC2 resources means users in the Development OU will only have permissions for EC2 actions. All other actions will be explicitly denied. This ensures that actions not explicitly allowed are denied by default.