Topic 1 Question 160
2 つ選択A company has an AWS Control Tower landing zone. The company's DevOps team creates a workload OU. A development OU and a production OU are nested under the workload OU. The company grants users full access to the company's AWS accounts to deploy applications.
The DevOps team needs to allow only a specific management IAM role to manage the IAM roles and policies of any AWS accounts in only the production OU.
Which combination of steps will meet these requirements?
Create an SCP that denies full access with a condition to exclude the management IAM role for the organization root.
Ensure that the FullAWSAccess SCP is applied at the organization root.
Create an SCP that allows IAM related actions. Attach the SCP to the development OU.
Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the workload OU.
Create an SCP that denies IAM related actions with a condition to exclude the management IAM role. Attach the SCP to the production OU.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: BE
You need to understand how SCP inheritance works in AWS. The way it works for Deny policies is different that allow policies.
Allow polices are passing down to children ONLY if they don't have an allow policy.
Deny policies always pass down to children.
That's why there is always an SCP set to the Root to allow everything by default. If you limit this policy, the whole organization will be limited, not matter what other policies are saying for the other OUs. So it's not A. It's not D because it restricts the wrong OU.
👍 3d262e672023/12/31 - 正解だと思う選択肢: AE
A and E
👍 1PrasannaBalaji2023/12/29 - 正解だと思う選択肢: BE
Answer is B & E.
A is not correct because it would prevent the developers team to access the Developer OU. That wouldn't make sense.
👍 1kabary2023/12/31
シャッフルモード