Explanation:
Service Control Policies (SCPs) are the correct tool for enforcing permissions across an entire AWS Organization. Unlike IAM policies, SCPs can restrict actions for the root user of a member account. Applying a Deny SCP at the organization root will effectively block DynamoDB access for all accounts and users within the organization, including local administrators and the root user, while leaving other services unaffected. Option A and C are incorrect because IAM policies do not restrict the root user. Option D is incorrect because removing the default Allow-All SCP without a replacement Allow statement would result in an implicit deny for all services, not just DynamoDB.
Ultimate access to all questions.
Question 23. A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services. Which solution will meet these requirements?
A
In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
B
Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization.
C
In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
D
Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
E
None
F
None
No comments yet.