Topic 1 Question 114
A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.
All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.
Which SCP should the security engineer attach to the root of the organization to meet these requirements?
ユーザの投票
コメント(5)
- 正解だと思う選択肢: A
A is correct. The NotAction element cannot be used in this case.
You only need an explicit DENY here since all accounts and OUs already have a default FullAWSAccess SCP but you don't want them to be able to disable Amazon GuardDuty and AWS Security Hub.
👍 3AgboolaKun2024/05/28 - 正解だと思う選択肢: A
A is correct, key word in SCP is to Deny, because it overwrites the FullAccessSCP Alow statement.
👍 3ahrentom2024/05/29 - 正解だと思う選択肢: D
Probably going with D but still not 100% sure how is it going to work that way... would appreciate if someone could help in understanding this question..
👍 2Aamee2024/05/28
シャッフルモード
