Topic 1 Question 104
A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:
The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.
Which change must a security engineer implement so that the developers can access Amazon SES?
Add a resource policy that allows each member of the group to access Amazon SES.
Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}.
Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES.
Remove Amazon SES from the root SCP.
ユーザの投票
コメント(8)
- 正解だと思う選択肢: D
The answer is D
👍 3[Removed]2024/05/25 - 正解だと思う選択肢: D
Option D is the correct solution. The root SCP is denying access to Amazon SES across the organization. Even though the OU SCP and IAM policy allow SES access, the root SCP takes precedence and blocks it. Removing Amazon SES from the root SCP whitelist will resolve the issue and allow the developers to access SES based on the permissions granted in their IAM policy.
Option A is incorrect because resource policies apply at the service level, not for IAM users/groups.
Option B is also related to resource policies, not the issue with the SCP whitelist.
Option C mentions AWS Control Tower which is not referenced in the question. The SCP is set through AWS Organizations.
So the root cause is the root SCP denying access to SES, and it needs to be removed from that SCP to allow access that is permitted in the lower levels of permissions.
👍 2azure4life2024/06/14 - 正解だと思う選択肢: D
Why most of the answers are incorrect here.
👍 2ykhan3212024/06/20
シャッフルモード