Topic 1 Question 174
A company uses AWS Organizations to manage its AWS accounts. The company has a root OU that has a child OU. The root OU has an SCP that allows all actions on all resources. The child OU has an SCP that allows all actions for Amazon DynamoDB and AWS Lambda, and denies all other actions.
The company has an AWS account that is named vendor-data in the child OU. A DevOps engineer has an IAM user that is attached to the Administrator Access IAM policy in the vendor-data account. The DevOps engineer attempts to launch an Amazon EC2 instance in the vendor-data account but receives an access denied error.
Which change should the DevOps engineer make to launch the EC2 instance in the vendor-data account?
Attach the AmazonEC2FullAccess IAM policy to the IAM user.
Create a new SCP that allows all actions for Amazon EC2. Attach the SCP to the vendor-data account.
Update the SCP in the child OU to allow all actions for Amazon EC2.
Create a new SCP that allows all actions for Amazon EC2. Attach the SCP to the root OU.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: C
It's C - Allow must be explicit from root all the way down to the account level. Since it's not specified in the OU the only way to make it available to vendor-account is to change the OU policy.
👍 2csG132023/12/29 - 正解だと思う選択肢: C
C is correct
👍 1PrasannaBalaji2023/12/29 - 正解だと思う選択肢: C
The only correct option
👍 1d262e672023/12/31
シャッフルモード