AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
In an AWS Organization with Service Control Policies (SCPs), the root SCP is configured as follows: The company's developers, who are part of a group with an IAM policy allowing all actions on Amazon Simple Email Service (Amazon SES) via ses:* actions, are experiencing authorization errors when attempting to access Amazon SES through the AWS Management Console. The developers' account is a child of an Organizational Unit (OU) that permits Amazon SES actions. What modification should a security engineer make to enable the developers to access Amazon SES?
Explanation:
The developers are receiving a not-authorized error because the root Service Control Policy (SCP) is likely restricting access to Amazon SES. SCPs at the root level take precedence over IAM policies and policies at the Organizational Unit (OU) level. Therefore, even though the IAM policy and the OU-level SCP allow access to Amazon SES, the developers are being restricted by the root SCP. To resolve this issue, the security engineer should remove Amazon SES from the root SCP, thereby allowing the permissions set by the IAM policy and the OU-level SCP to take effect.