Topic 1 Question 134
A company uses AWS Organizations to manage its AWS accounts. The organization root has an OU that is named Environments. The Environments OU has two child OUs that are named Development and Production, respectively.
The Environments OU and the child OUs have the default FullAWSAccess policy in place. A DevOps engineer plans to remove the FullAWSAccess policy from the Development OU and replace the policy with a policy that allows all actions on Amazon EC2 resources.
What will be the outcome of this policy replacement?
All users in the Development OU will be allowed all API actions on all resources.
All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.
All users in the Development OU will be denied all API actions on all resources.
All users in the Development OU will be denied all API actions on EC2 resources. All other API actions will be allowed.
ユーザの投票
コメント(13)
- 正解だと思う選択肢: B
AWS Organizations uses Service Control Policies (SCPs) to manage permissions across accounts within an organization. By removing the FullAWSAccess policy and replacing it with a policy that allows all actions on Amazon EC2 resources, the effect would be that users in the Development OU can perform all actions on EC2 resources, but will be denied all other AWS actions. This is because an SCP doesn't grant permissions, but instead acts as a guardrail that defines the maximum permissions users and roles can have.
👍 4tartarus232023/06/20 - 正解だと思う選択肢: A
A is correct. Development OU will inherit FullAccess from the Environments OU no explicit DENY in the new AllowAllEc2 Policy
👍 4vherman2023/08/03 - 正解だと思う選択肢: B
All users in the Development OU will be allowed all API actions on EC2 resources. All other API actions will be denied.
👍 3ds504212023/06/20
シャッフルモード