Explanation:
Service Control Policies (SCPs) in AWS Organizations offer central control over the maximum available permissions for all accounts in your organization. An SCP applied to the organization root to deny DynamoDB actions will effectively restrict access for all IAM users and roles, including the root user of the member accounts. Removing the default FullAWSAccess SCP (Option D) is not recommended because an explicit allow is required to grant any access; without it, all other services would also be blocked. Option B is correct because you apply a deny policy alongside the existing allow policies.
Ultimate access to all questions.
Question 23. A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services. Which solution will meet these requirements?
A
In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
B
Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
C
In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
D
Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
No comments yet.