Answer-first summary for fast verification
Answer: Instruct the developers to add Amazon S3 permissions to their IAM entities.
Service control policies (SCPs) in AWS Organizations do not grant permissions. Instead, they define the maximum set of permissions that can be granted to IAM users or roles in the accounts within the organizational unit (OU). Therefore, even if an SCP allows the s3:CreateBucket action, the actual permissions must still be granted to the IAM entities involved. In this case, the developers need to add Amazon S3 permissions to their IAM entities to be able to create S3 buckets. Thus, the correct answer is C: Instruct the developers to add Amazon S3 permissions to their IAM entities.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company utilizing multiple AWS accounts within AWS Organizations has implemented service control policies (SCPs). An administrator has applied a specific SCP to an organizational unit (OU) containing AWS account 1111-1111-1111. Developers within this account report they are unable to create Amazon S3 buckets. What is the appropriate action for the administrator to resolve this issue?
A
Add s3:CreateBucket with “Allow” effect to the SCP.
B
Remove the account from the OU, and attach the SCP directly to account 1111-1111-1111.
C
Instruct the developers to add Amazon S3 permissions to their IAM entities.
D
Remove the SCP from account 1111-1111-1111.
No comments yet.