Topic 1 Question 57
A company with several AWS accounts is using AWS Organizations and service control policies (SCPs). An administrator created the following SCP and has attached it to an organizational unit (OU) that contains AWS account 1111-1111-1111:
Developers working in account 1111-1111-1111 complain that they cannot create Amazon S3 buckets. How should the administrator address this problem?
Add s3:CreateBucket with “Allow” effect to the SCP.
Remove the account from the OU, and attach the SCP directly to account 1111-1111-1111.
Instruct the developers to add Amazon S3 permissions to their IAM entities.
Remove the SCP from account 1111-1111-1111.
ユーザの投票
コメント(16)
- 正解だと思う選択肢: C
SCP doesn’t grant permission
👍 8Atila502023/01/15 C is correct SCP policy allow everything except cloudtrail. SCP is boundary but it does not give allow to IAM users. You have to configure allow for every IAM
👍 7zhangyu200002023/01/15- 正�解だと思う選択肢: C
C - Users and roles must still be granted permissions with appropriate IAM permission policies. A user without any IAM permission policies has no access at all, even if the applicable SCPs allow all services and all actions.
👍 4Damijo2023/03/16
シャッフルモード