Topic 1 Question 373
A SysOps administrator manages policies for many AWS member accounts in an AWS Organizations structure. Administrators on other teams have access to the account root user credentials of the member accounts. The SysOps administrator must prevent all teams, including their administrators, from using Amazon DynamoDB. The solution must not affect the ability of the teams to access other AWS services.
Which solution will meet these requirements?
In all member accounts, configure IAM policies that deny access to all DynamoDB resources for all users, including the root user.
Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization
In all member accounts, configure IAM policies that deny AmazonDynamoDBFullAccess to all users, including the root user.
Remove the default service control policy (SCP) in the management account. Create a replacement SCP that includes a single statement that denies all DynamoDB actions.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: B
The answer is B as you have no idea what other SCP policies could be in place and deleting the entire SCP would be bad practice.
👍 7eboehm2023/07/21 - 正解だと思う選択肢: B
Service Control Policies (SCPs) are a feature of AWS Organizations that allow you to set permissions across all member accounts in the organization. When you apply an SCP at the root of the organization, it affects all member accounts within that organization.
In this scenario, by creating an SCP that denies all DynamoDB actions and applying it to the root of the AWS organization, you effectively block access to Amazon DynamoDB for all users, including the root user, in all member accounts within the organization. This solution prevents any team, including their administrators, from using DynamoDB while still allowing access to other AWS services that are not restricted by the SCP.
👍 3Christina6662023/07/28 I´m not sure, but for me it´s something between B and D, but not C.
👍 2jas26says2023/07/21
シャッフルモード