Topic 1 Question 280
A company uses AWS Organizations to manage its AWS accounts. The organization root has a child OU that is named Department. The Department OU has a child OU that is named Engineering. The default FullAWSAccess policy is attached to the root, the Department OU, and the Engineering OU.
The company has many AWS accounts in the Engineering OU. Each account has an administrative IAM role with the AdministratorAccess IAM policy attached. The default FullAWSAccessPolicy is also attached to each account.
A DevOps engineer plans to remove the FullAWSAccess policy from the Department OU. The DevOps engineer will replace the policy with a policy that contains an Allow statement for all Amazon EC2 API operations.
What will happen to the permissions of the administrative 1AM roles as a result of this change?
All API actions on all resources will be allowed.
All API actions on EC2 resources will be allowed. All other API actions will be denied.
All API actions on all resources will be denied.
All API actions on EC2 resources will be denied. All other API actions will be allowed.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: B
When the FullAWSAccess policy is replaced with a policy that allows only EC2 actions, this new SCP will act as a boundary. Even if an IAM role or user within the account has a broader permission set (like AdministratorAccess), the SCP limits what can be done.
👍 4hzaki2024/08/25 - 正解だと思う選択肢: B
vote B..
👍 2siheom2024/08/25 - 正解だと思う選択肢: B
I'ts B
👍 2ApacheKafkaAWS2024/08/29
シャッフルモード